CREATE OR REPLACE VIEW "ta_descriptions" AS
SELECT *
FROM
(
VALUES
ROW ('rSs93HQwa1', 'en', 'Amazon RDS Public Snapshots', 'Checks the permission settings for your Amazon Relational Database Service (Amazon RDS) DB snapshots and alerts you if any snapshots are marked as public. When you make a snapshot public, you give all AWS accounts and users access to all the data on the snapshot. If you want to share a snapshot with particular users or accounts, mark the snapshot as private, and then specify the user or accounts you want to share the snapshot data with. Note
: Results for this check are automatically refreshed several times daily, and refresh requests are not allowed. It might take a few hours for changes to appear.
Alert Criteria
Red: The RDS snapshot is marked as public.
Recommended Action
Unless you are certain you want to share all the data in the snapshot with all AWS accounts and users, modify the permissions: mark the snapshot as private, and then specify the accounts that you want to give permissions to. For more information, see Sharing a DB Snapshot or DB Cluster Snapshot. Note: For temporary technical reasons, items in this check cannot be excluded from view in the Trusted Advisor console.To modify permissions for your snapshots directly, you can use a runbook in the AWS Systems Manager console. For more information, see AWSSupport-ModifyRDSSnapshotPermission.
Additional Resources
Backing Up and Restoring Amazon RDS DB Instances')
, ROW ('xSqX82fQu', 'en', 'ELB Security Groups', 'Checks for load balancers configured with a missing security group or a security group that allows access to ports that are not configured for the load balancer. If a security group associated with a load balancer is deleted, the load balancer does not work as expected. If a security group allows access to ports that are not configured for the load balancer, the risk of loss of data or malicious attacks increases.
Alert Criteria
Yellow: The inbound rules of an Amazon VPC security group associated with a load balancer allow access to ports that are not defined in the load balancers listener configuration.
Red: A security group associated with a load balancer does not exist.
Recommended Action
Configure the security group rules to restrict access to only those ports and protocols that are defined in the load balancer listener configuration, plus the ICMP protocol to support Path MTU Discovery. See Listeners for Your Classic Load Balancer and Security Groups for Load Balancers in a VPC.
If a security group is missing, apply a new security group to the load balancer. Create security group rules that restrict access to only those ports and protocols that are defined in the load balancer listener configuration. See Security Groups for Load Balancers in a VPC.
Additional Resources
Elastic Load Balancing User Guide
Configure Your Classic Load Balancer')
, ROW ('aW7HH0l7J9', 'en', 'Auto Scaling Launch Configurations', 'Checks for usage that is more than 80% of the Auto Scaling Launch Configurations Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('dx3xfbjfMr', 'en', 'Route 53 Traffic Policies', 'Checks for usage that is more than 80% of the Route 53 Traffic Policies Limit per account. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('gH5CC0e3J9', 'en', 'EBS Cold HDD (sc1) Volume Storage', 'Checks for usage that is more than 80% of the EBS Cold HDD (sc1) Volume Storage Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('b73EEdD790', 'en', 'Amazon Route 53 Failover Resource Record Sets', 'Checks for Amazon Route 53 failover resource record sets that are misconfigured. When Amazon Route 53 health checks determine that the primary resource is unhealthy, Amazon Route 53 responds to queries with a secondary, backup resource record set. You must create correctly configured primary and secondary resource record sets for failover to work. Hosted zones created by AWS services won’t appear in your check results.
Alert Criteria
Yellow: A primary failover resource record set does not have a corresponding secondary resource record set.
Yellow: A secondary failover resource record set does not have a corresponding primary resource record set.
Yellow: Primary and secondary resource record sets that have the same name are associated with the same health check.
Recommended Action
If a failover resource set is missing, create the corresponding resource record set; see Creating Failover Resource Record Sets.
If your resource record sets are associated with the same health check, create separate health checks for each one; see Creating, Updating, and Deleting Health Checks.
Additional Information
Amazon Route 53 Health Checks and DNS Failover')
, ROW ('N425c450f2', 'en', 'CloudFront Custom SSL Certificates in the IAM Certificate Store', 'Checks the SSL certificates for CloudFront alternate domain names in the IAM certificate store and alerts you if the certificate is expired, will soon expire, uses outdated encryption, or is not configured correctly for the distribution. When a custom certificate for an alternate domain name expires, browsers that display your CloudFront content might show a warning message about the security of your website. Certificates that are encrypted by using the SHA-1 hashing algorithm are being deprecated by web browsers such as Chrome and Firefox. If a certificate doesnt contain any domain names that match either Origin Domain Name or the domain name in the Host header of viewer requests, CloudFront returns an HTTP status code 502 (bad gateway) to the user. For more information, see Using Alternate Domain Names and HTTPS.')
, ROW ('L4dfs2Q4C5', 'en', 'AWS Lambda Functions Using Deprecated Runtimes', 'Checks for Lambda functions that are configured to use a runtime that is approaching deprecation or is deprecated. Deprecated runtimes are not eligible for security updates or technical support.
Notes:
')
, ROW ('L4dfs2Q4C6', 'en', 'AWS Lambda VPC-enabled Functions without Multi-AZ Redundancy', 'Checks for VPC-enabled Lambda functions that are vulnerable to service interruption in a single availability zone. It is recommended for VPC-enabled functions to be connected to multiple availability zones for high availability.
Note:
Results for this check are automatically refreshed several times daily, and refresh requests are not allowed. It might take a few hours for changes to appear.
Alert Criteria
Yellow: A VPC-enabled Lambda function connected to subnets in a single Availability Zone.
Recommended Action
When configuring functions for access to your VPC, choose subnets in multiple Availability Zones to ensure high availability.
Additional Resources
Configuring a Lambda function to access resources in a VPC
Resilience in AWS Lambda
')
, ROW ('cF171Db240', 'en', 'Amazon Route 53 Name Server Delegations', 'Checks for Amazon Route 53 hosted zones for which your domain registrar or DNS is not using the correct Route 53 name servers. When you create a hosted zone, Route 53 assigns a delegation set of four name servers. The names of these servers are ns-###.awsdns-##.com, .net, .org, and .co.uk, where ### and ## typically represent different numbers. Before Route 53 can route DNS queries for your domain, you must update your registrars name server configuration to remove the name servers that the registrar assigned and add all four name servers in the Route 53 delegation set. For maximum availability, you must add all four Route 53 name servers. Hosted zones created by AWS services won’t appear in your check results.
Alert Criteria
Yellow: A hosted zone for which the registrar for your domain does not use all four of the Route 53 name servers in the delegation set.
Recommended Action
Add or update name server records with your registrar or with the current DNS service for your domain to include all four of the name servers in your Route 53 delegation set. To find these values, see Getting the Name Servers for a Hosted Zone. For information about adding or updating name server records, see Creating and Migrating Domains and Subdomains to Amazon Route 53.
Additional Resources
Working with Hosted Zones
')
, ROW ('cG7HH0l7J9', 'en', 'EBS Magnetic (standard) Volume Storage', 'Checks for usage that is more than 80% of the EBS Magnetic (standard) Volume Storage Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('sU7XX0l7J9', 'en', 'IAM Group', 'Checks for usage that is more than 80% of the IAM Group Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('N420c450f2', 'en', 'CloudFront Alternate Domain Names', 'Checks Amazon CloudFront distributions for alternate domain names (CNAMES) that have incorrectly configured DNS settings. If a CloudFront distribution includes alternate domain names, the DNS configuration for the domains must route DNS queries to that distribution.
Note: This check assumes Amazon Route 53 DNS and Amazon CloudFront distribution are configured in the same AWS account. As such the Alert list may include resources otherwise working as expected due to DNS setting outsides of this AWS account.
Alert Criteria
Yellow: A CloudFront distribution includes alternate domain names, but the DNS configuration is not correctly set up with a CNAME record or an Amazon Route 53 alias resource record.
Yellow: A CloudFront distribution includes alternate domain names, but Trusted Advisor could not evaluate the DNS configuration because there were too many redirects.
Yellow: A CloudFront distribution includes alternate domain names, but Trusted Advisor could not evaluate the DNS configuration for some other reason, most likely because of a timeout.
Recommended Action
Update the DNS configuration to route DNS queries to the CloudFront distribution; see Using Alternate Domain Names (CNAMEs). If youre using Amazon Route 53 as your DNS service, see Routing Traffic to an Amazon CloudFront Web Distribution by Using Your Domain Name. If the check timed out, try refreshing the check.
Additional Resources
Amazon CloudFront Developer Guide')
, ROW ('COr6dfpM04', 'en', 'Amazon EBS under-provisioned volumes', 'Checks the Amazon Elastic Block Storage (Amazon EBS) volumes that were running at any time during the lookback period. This check alerts you if any EBS volumes were under-provisioned for your workloads. Consistent high utilization can indicate optimized, steady performance, but can also indicate that an application does not have enough resources.
Source
AWS Compute Optimizer
Alert Criteria
Yellow: An EBS Volume that was under-provisioned during the lookback period. To determine if a volume is under-provisioned, we consider all default CloudWatch metrics (including IOPS and throughput). The algorithm used to identify under-provisioned EBS volumes follows AWS best practices. The algorithm is updated when a new pattern has been identified.
Recommended Action
Consider upsizing volumes that have high utilization.
Additional Resources
For more information about this recommendation, see the Trusted Advisor documentation.')
, ROW ('COr6dfpM03', 'en', 'Amazon EBS over-provisioned volumes', 'Checks the Amazon Elastic Block Storage (Amazon EBS) volumes that were running at any time during the lookback period. This check alerts you if any EBS volumes were over-provisioned for your workloads. When you have over-provisioned volumes, you’re paying for unused resources. Although some scenarios can result in low optimization by design, you can often lower your costs by changing the configuration of your EBS volumes. Estimated monthly savings are calculated by using the current usage rate for EBS volumes. Actual savings will vary if the volume isn’t present for a full month.
Source
AWS Compute Optimizer
Alert Criteria
Yellow: An EBS Volume that was over-provisioned during the lookback period. To determine if a volume is over-provisioned, we consider all default CloudWatch metrics (including IOPS and throughput). The algorithm used to identify over-provisioned EBS volumes follows AWS best practices. The algorithm is updated when a new pattern has been identified.
Recommended Action
Consider downsizing volumes that have low utilization.
Additional Resources
For more information about this recommendation, see the Trusted Advisor documentation..')
, ROW ('jtlIMO3qZM', 'en', 'RDS Cluster Parameter Groups', 'Checks for usage that is more than 80% of the RDS Cluster Parameter Groups Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('COr6dfpM06', 'en', 'AWS Lambda under-provisioned functions for memory size', 'Checks the AWS Lambda functions that were invoked at least once during the lookback period. This check alerts you if any of your Lambda functions were under-provisioned for memory size. When you have Lambda functions that are under-provisioned for memory size, these functions take longer time to complete.
Source
AWS Compute Optimizer
Alert Criteria
Yellow: A Lambda function that was under-provisioned for memory size during the lookback period. To determine if a Lambda function is under-provisioned, we consider all default CloudWatch metrics for that function. The algorithm used to identify under-provisioned Lambda functions for memory size follows AWS best practices. The algorithm is updated when a new pattern has been identified.
Recommended Action
Consider increasing the memory size of your Lambda functions.
Additional Resources
For more information about this recommendation, see the Trusted Advisor documentation.')
, ROW ('COr6dfpM05', 'en', 'AWS Lambda over-provisioned functions for memory size', 'Checks the AWS Lambda functions that were invoked at least once during the lookback period. This check alerts you if any of your Lambda functions were over-provisioned for memory size. When you have Lambda functions that are over-provisioned for memory sizes, you’re paying for unused resources. Although some scenarios can result in low utilization by design, you can often lower your costs by changing the memory configuration of your Lambda functions. Estimated monthly savings are calculated by using the current usage rate for Lambda functions.
Source
AWS Compute Optimizer
Alert Criteria
Yellow: A Lambda function that was over-provisioned for memory size during the lookback period. To determine if a Lambda function is over-provisioned, we consider all default CloudWatch metrics for that function. The algorithm used to identify over-provisioned Lambda functions for memory size follows AWS best practices. The algorithm is updated when a new pattern has been identified.
Recommended Action
Consider reducing the memory size of your Lambda functions.
Additional Resources
For more information about this recommendation, see the Trusted Advisor documentation page.')
, ROW ('f2iK5R6Dep', 'en', 'Amazon RDS Multi-AZ', 'Checks for DB instances that are deployed in a single Availability Zone. Multi-AZ deployments enhance database availability by synchronously replicating to a standby instance in a different Availability Zone. During planned database maintenance or the failure of a DB instance or Availability Zone, Amazon RDS automatically fails over to the standby so that database operations can resume quickly without administrative intervention. Because Multi-AZ deployments for the SQL Server engine use a different mechanism for synchronization, this check does not examine SQL Server instances.')
, ROW ('jEhCtdJKOY', 'en', 'RDS Subnets per Subnet Group', 'Checks for usage that is more than 80% of the RDS Subnets per Subnet Group Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('a2sEc6ILx', 'en', 'ELB Listener Security', 'Checks for load balancers with listeners that do not use recommended security configurations for encrypted communication. AWS recommends using a secure protocol (HTTPS or SSL), up-to-date security policies, and ciphers and protocols that are secure.
When you use a secure protocol for a front-end connection (client to load balancer), the requests are encrypted between your clients and the load balancer, which is more secure.
Elastic Load Balancing provides predefined security policies with ciphers and protocols that adhere to AWS security best practices. New versions of predefined policies are released as new configurations become available.
Alert Criteria
Yellow: A load balancer has no listener that uses a secure protocol (HTTPS or SSL).
Yellow: A load balancer listener uses an outdated predefined SSL security policy.
Yellow: A load balancer listener uses a cipher or protocol that is not recommended.
Red: A load balancer listener uses an insecure cipher or protocol.
Recommended Action
- If the traffic to your load balancer must be secure, use either the HTTPS or the SSL protocol for the front-end connection.
- Upgrade your load balancer to the latest version of the predefined SSL security policy.
- Use only the recommended ciphers and protocols.
For more information, see Listener Configurations for Elastic Load Balancing.
Additional Resources
Listener Configurations Quick Reference
Update SSL Negotiation Configuration of Your Load Balancer
SSL Negotiation Configurations for Elastic Load Balancing
SSL Security Policy Table
')
, ROW ('ePs02jT06w', 'en', 'Amazon EBS Public Snapshots', 'Checks the permission settings for your Amazon Elastic Block Store (Amazon EBS) volume snapshots and alerts you if any snapshots are marked as public. When you make a snapshot public, you give all AWS accounts and users access to all the data on the snapshot. If you want to share a snapshot with particular users or accounts, mark the snapshot as private, and then specify the user or accounts you want to share the snapshot data with. Note
: Results for this check are automatically refreshed several times daily, and refresh requests are not allowed. It might take a few hours for changes to appear.
Alert Criteria
Red: The EBS volume snapshot is marked as public.
Recommended Action
Unless you are certain you want to share all the data in the snapshot with all AWS accounts and users, modify the permissions: mark the snapshot as private, and then specify the accounts that you want to give permissions to. For more information, see Sharing an Amazon EBS Snapshot. Note: For temporary technical reasons, items in this check cannot be excluded from view in the Trusted Advisor console.To modify permissions for your snapshots directly, you can use a runbook in the AWS Systems Manager console. For more information, see AWSSupport-ModifyEBSSnapshotPermission.
Additional Resources
Amazon EBS Snapshots')
, ROW ('R365s2Qddf', 'en', 'Amazon S3 Bucket Versioning', 'Checks for Amazon Simple Storage Service buckets that do not have versioning enabled, or have versioning suspended. When versioning is enabled, you can easily recover from both unintended user actions and application failures. Versioning allows you to preserve, retrieve, and restore any version of any object stored in a bucket. You can use lifecycle rules to manage all versions of your objects as well as their associated costs by automatically archiving objects to the Glacier storage class or removing them after a specified time period. You can also choose to require multi-factor authentication (MFA) for any object deletions or configuration changes to your buckets.
Versioning cannot be disabled after it has been enabled, but it can be suspended, which prevents new versions of objects from being created. Using versioning can increase your costs for Amazon S3, because you pay for storage of multiple versions of an object.
Alert Criteria
Green: Versioning is enabled for the bucket.
Yellow: Versioning is not enabled for the bucket.
Yellow: Versioning is suspended for the bucket.
Recommended Action
Enable bucket versioning on most buckets to prevent accidental deletion or overwriting. See Using Versioning and Enabling Versioning Programmatically.
If bucket versioning is suspended, consider reenabling versioning. For information on working with objects in a versioning-suspended bucket, see Managing Objects in a Versioning-Suspended Bucket.
When versioning is enabled or suspended, you can define lifecycle configuration rules to mark certain object versions as expired or to permanently remove unneeded object versions. For more information, see Object Lifecycle Management.
MFA Delete requires additional authentication when the versioning status of the bucket is changed or when versions of an object are deleted. It requires the user to enter credentials and a code from an approved authentication device. For more information, see MFA Delete.
Additional Resources
Working with Buckets')
, ROW ('Wxdfp4B1L2', 'en', 'AWS Well-Architected high risk issues for performance efficiency', 'Checks for high risk issues (HRIs) for your workloads in the performance pillar. This check is based on your AWS-Well Architected reviews. Your check results depend on whether you completed the workload evaluation with AWS Well-Architected.
Alert Criteria
Red: At least one active high risk issue was identified in the performance pillar for AWS Well-Architected.')
, ROW ('Wxdfp4B1L3', 'en', 'AWS Well-Architected high risk issues for security', 'Checks for high risk issues (HRIs) for your workloads in the security pillar. This check is based on your AWS-Well Architected reviews. Your check results depend on whether you completed the workload evaluation with AWS Well-Architected.
Alert Criteria
Red: At least one active high risk issue was identified in the security pillar for AWS Well-Architected.')
, ROW ('8wIqYSt25K', 'en', 'ELB Network Load Balancers', 'Checks for usage that is more than 80% of the ELB Network Load Balancers Limit. Classic Load Balancers and Application Load Balancers have separate limits. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
')
, ROW ('Wxdfp4B1L4', 'en', 'AWS Well-Architected high risk issues for reliability', 'Checks for high risk issues (HRIs) for your workloads in the Reliability pillar. This check is based on your AWS-Well Architected reviews. Your check results depend on whether you completed the workload evaluation with AWS Well-Architected.
Alert Criteria
Red: At least one active high risk issue was identified in the reliability pillar for AWS Well-Architected.')
, ROW ('Wxdfp4B1L1', 'en', 'AWS Well-Architected high risk issues for cost optimization', 'Checks for high risk issues (HRIs) for your workloads in the cost optimization pillar. This check is based on your AWS-Well Architected reviews. Your check results depend on whether you completed the workload evaluation with AWS Well-Architected.
Alert Criteria
Red: At least one active high risk issue was identified in the cost optimization pillar for AWS Well-Architected.')
, ROW ('opQPADkZvH', 'en', 'Amazon RDS Backups', 'Checks for automated backups of Amazon RDS DB instances. By default, backups are enabled with a retention period of 1 day. Backups reduce the risk of unexpected data loss and allow for point-in-time recovery.')
, ROW ('L4dfs2Q3C2', 'en', 'AWS Lambda Functions with High Error Rates', 'Checks for Lambda functions with high error rates that may result in high cost. Lambda charges based on the number of requests and aggregate execution time for your function. Function errors may cause retries that incur additional charges.
Note:
Results for this check are automatically refreshed several times daily, and refresh requests are not allowed. It might take a few hours for changes to appear.
Alert Criteria
Yellow: Functions where > 10% of invocations end in error on any given day within the last 7 days.
Recommended Action
Consider the following guidelines to reduce errors. Function errors include errors returned by the functions code and errors returned by the functions runtime. To help you troubleshoot Lambda errors, Lambda integrates with services like Amazon CloudWatch and AWS X-Ray. You can use a combination of logs, metrics, alarms, and X-ray tracing to quickly detect and identify issues in your function code, API, or other resources that support your application. For more information, see Monitoring and troubleshooting Lambda applications. For more information on handling errors with specific runtimes, see Error handling and automatic retries in AWS Lambda. For additional troubleshooting, see Troubleshooting issues in Lambda.You can also choose from an ecosystem of monitoring and observability tools provided by AWS Lambda partners. For additional information about Partners, see AWS Lambda Partners.
Additional Resources
Error Handling and Automatic Retries in AWS Lambda
Monitoring and Troubleshooting Lambda applications
Lambda Function Retry Timeout SDK
Troubleshooting issues in Lambda
API Invoke Errors
Error Processor Sample Application for AWS Lambda
')
, ROW ('L4dfs2Q3C3', 'en', 'AWS Lambda Functions with Excessive Timeouts', 'Checks for Lambda functions with high timeout rates that may result in high cost. Lambda charges based on execution time for your function and number of requests for your function. Function timeouts result in function errors that may cause retries that incur additional request and execution time charges.
Note:
Results for this check are automatically refreshed several times daily, and refresh requests are not allowed. It might take a few hours for changes to appear.
Alert Criteria
Yellow: Functions where > 10% of invocations end in an error due to a timeout on any given day within the last 7 days.
Recommended Action
Inspect function logging and X-ray traces to determine the contributor to the high function duration. Implement logging in your code at relevant parts, such as before or after API calls or database connections. By default, AWS SDK clients timeouts may be longer than the configured function duration. Adjust API and SDK connection clients to retry or fail within the function timeout. If the expected duration is longer than the configured timeout, you can increase the timeout setting for the function. For more information, see Monitoring and troubleshooting Lambda applications.
Additional Resources
Monitoring and troubleshooting Lambda applications
Lambda Function Retry Timeout SDK
Using AWS Lambda with AWS X-Ray
Accessing Amazon CloudWatch logs for AWS Lambda
Error Processor Sample Application for AWS Lambda
')
, ROW ('vjafUGJ9H0', 'en', 'AWS CloudTrail Logging', 'Checks for your use of AWS CloudTrail. CloudTrail provides increased visibility into activity in your AWS account by recording information about AWS API calls made on the account. You can use these logs to determine, for example, what actions a particular user has taken during a specified time period or which users have taken actions on a particular resource during a specified time period. Because CloudTrail delivers log files to an Amazon Simple Storage Service (Amazon S3) bucket, CloudTrail must have write permissions for the bucket. If a trail applies to all regions (the default when creating a new trail), the trail appears multiple times in the Trusted Advisor report.')
, ROW ('7fuccf1Mx7', 'en', 'RDS Cluster Roles', 'Checks for usage that is more than 80% of the RDS Cluster Roles Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('ru4xfcdfMr', 'en', 'Route 53 Max Health Checks', 'Checks for usage that is more than 80% of the Route 53 Health Checks Limit per account. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('dV84wpqRUs', 'en', 'RDS DB Manual Snapshots', 'Checks for usage that is more than 80% of the RDS DB Manual Snapshots Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('xuy7H1avtl', 'en', 'Amazon Aurora DB Instance Accessibility', 'Checks for cases where an Amazon Aurora DB cluster has both private and public instances. When your primary instance fails, a replica can be promoted to a primary instance. If that replica is private, users who have only public access would no longer be able to connect to the database after failover. Its best practice for all the DB instances in a cluster to have the same accessibility.
Alert Criteria
Yellow: The instances in an Aurora DB cluster have different accessibility (a mix of public and private).
Recommended Action
Modify the Publicly Accessible
setting of the instances in the DB cluster so that they are all either public or private. For details, see the instructions for MySQL instances at Modifying a DB Instance Running the MySQL Database Engine.
Additional Resources
Fault Tolerance for an Aurora DB Cluster')
, ROW ('0t121N1Ty3', 'en', 'AWS Direct Connect Connection Redundancy', 'Checks for regions that have only one AWS Direct Connect connection. Connectivity to your AWS resources should have two Direct Connect connections configured at all times to provide redundancy in case a device is unavailable.
Note:
Results for this check are automatically refreshed several times daily, and refresh requests are not allowed. It might take a few hours for changes to appear.
Alert Criteria
Yellow: The region has only one Direct Connect connection.
Recommended Action
Configure an additional Direct Connect connection in this region to protect against device unavailability. For more information, see Configure Redundant Connections with AWS Direct Connect. To protect against site unavailability and add location redundancy, configure the additional Direct Connect connection to a different Direct Connect location.
Additional Resources
Getting Started with AWS Direct Connect
AWS Direct Connect FAQs ')
, ROW ('RH23stmM01', 'en', 'AWS Resilience Hub resilience scores', 'Checks if you have run an assessment for your applications in Resilience Hub. This check alerts you if your resilience scores are below a specific value. Results for this check are automatically refreshed once every day.
Alert Criteria
Green: Your application has a resilience score of 70 or greater.')
, ROW ('RH23stmM02', 'en', 'AWS Resilience Hub policy breached', 'Checks Resilience Hub for applications that dont meet the recovery time objective (RTO) and recovery point objective (RPO) that the policy defines. The check alerts you if your application doesnt meet the RTO and RPO objectives youve set for an application in Resilience Hub.
Alert Criteria
Green: The application has a policy and meets the RTO and RPO objectives.')
, ROW ('hc0dfs7601', 'en', 'AWS CloudHSM clusters running HSM instances in a single AZ', 'Checks your clusters that run HSM instances in a single Availability Zone (AZ). This check alerts you if your clusters are at risk of not having the most recent backup.
Alert Criteria
Yellow: A CloudHSM cluster is running all HSM instances in a single Availability Zone for more than 1 hour.')
, ROW ('DqdJqYeRm5', 'en', 'IAM Access Key Rotation', 'Checks for active IAM access keys that have not been rotated in the last 90 days. When you rotate your access keys regularly, you reduce the chance that a compromised key could be used without your knowledge to access resources. For the purposes of this check, the last rotation date and time is when the access key was created or most recently activated. The access key number and date come from the access_key_1_last_rotated
and access_key_2_last_rotated
information in the most recent IAM credential report. Because the regeneration frequency of a credential report is restricted, refreshing this check might not reflect recent changes (for details, see Getting Credential Reports for Your AWS Account).
In order to create and rotate access keys, a user must have the appropriate permissions. For more information, see Allow Users to Manage Their Own Passwords, Access Keys, and SSH Keys.
Alert Criteria
Green: The access key is active and has been rotated in the last 90 days.
Yellow: The access key is active and has been rotated in the last 2 years, but more than 90 days ago.
Red: The access key is active and has not been rotated in the last 2 years.
Recommended Action
Rotate access keys on a regular basis. See Rotating Access Keys and Managing Access Keys for IAM Users.
Additional Resources
IAM Best Practices
How to rotate access keys for IAM users (AWS blog)')
, ROW ('7DAFEmoDos', 'en', 'MFA on Root Account', 'Checks the root account and warns if multi-factor authentication (MFA) is not enabled. For increased security, we recommend that you protect your account by using MFA, which requires a user to enter a unique authentication code from their MFA hardware or virtual device when interacting with the AWS console and associated websites.')
, ROW ('tfg86AVHAZ', 'en', 'Large Number of Rules in an EC2 Security Group', 'Checks each Amazon Elastic Compute Cloud (EC2) security group for an excessive number of rules. If a security group has a large number of rules, performance can be degraded.')
, ROW ('kM7QQ0l7J9', 'en', 'VPC Internet Gateways', 'Checks for usage that is more than 80% of the VPC Internet Gateways Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('HCP4007jGY', 'en', 'Security Groups - Specific Ports Unrestricted', 'Checks security groups for rules that allow unrestricted access (0.0.0.0/0) to specific ports. Unrestricted access increases opportunities for malicious activity (hacking, denial-of-service attacks, loss of data). The ports with highest risk are flagged red, and those with less risk are flagged yellow. Ports flagged green are typically used by applications that require unrestricted access, such as HTTP and SMTP.')
, ROW ('Pfx0RwqBli', 'en', 'Amazon S3 Bucket Permissions', 'Checks buckets in Amazon Simple Storage Service (Amazon S3) that have open access permissions or allow access to any authenticated AWS user. Bucket permissions that grant List access can result in higher than expected charges if objects in the bucket are listed by unintended users at a high frequency. Bucket permissions that grant Upload/Delete access create potential security vulnerabilities by allowing users that to add, modify, or remove items in a bucket.')
, ROW ('Hs4Ma3G191', 'en', 'RDS cluster snapshots and database snapshots should be encrypted at rest', 'Checks if Amazon RDS cluster snapshots and database snapshots are encrypted.')
, ROW ('Hs4Ma3G192', 'en', 'RDS DB Instances should prohibit public access, determined by the PubliclyAccessible configuration', 'Checks if RDS instances are publicly accessible by evaluating the publiclyAccessible field in the instance configuration item.')
, ROW ('Hs4Ma3G193', 'en', 'RDS DB instances should have encryption at-rest enabled', 'Checks if storage encryption is enabled for your RDS DB instances.')
, ROW ('Hs4Ma3G194', 'en', 'RDS snapshot should be private', 'Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public.')
, ROW ('Hs4Ma3G195', 'en', 'CloudFront distributions should have origin access identity enabled', 'Checks if an Amazon CloudFront distribution with an Amazon S3 origin type has Origin Access Identity (OAI) configured. The check fails if the CloudFront distribution that is backed by Amazon S3 does not have OAI configured.')
, ROW ('Hs4Ma3G196', 'en', 'AWS Config should be enabled', 'Checks if the Config service is enabled in the account for the local region and is recording all resources.')
, ROW ('B913Ef6fb4', 'en', 'Amazon Route 53 Alias Resource Record Sets', 'Checks for resource record sets that can be changed to alias resource record sets to improve performance and save money. An alias resource record set routes DNS queries to an AWS resource (for example, an Elastic Load Balancing load balancer or an Amazon S3 bucket) or to another Route 53 resource record set. When you use alias resource record sets, Route 53 routes your DNS queries to AWS resources free of charge. Hosted zones created by AWS services won’t appear in your check results.')
, ROW ('Hs4Ma3G197', 'en', 'Amazon Elasticsearch Service domains should have encryption at-rest enabled', 'Checks whether Amazon Elasticsearch Service domains have encryption at rest configuration enabled. This check fails if the EncryptionAtRestOptions field is not enabled.')
, ROW ('Hs4Ma3G198', 'en', 'RDS DB instances should have deletion protection enabled', 'Checks if RDS DB instances have deletion protection enabled.')
, ROW ('1iG5NDGVre', 'en', 'Security Groups - Unrestricted Access', 'Checks security groups for rules that allow unrestricted access to a resource. Unrestricted access increases opportunities for malicious activity (hacking, denial-of-service attacks, loss of data).')
, ROW ('Hs4Ma3G190', 'en', 'RDS clusters should have deletion protection enabled', 'Checks if RDS clusters have deletion protection enabled.')
, ROW ('nNauJisYIT', 'en', 'Amazon RDS Security Group Access Risk', 'Checks security group configurations for Amazon Relational Database Service (Amazon RDS) and warns when a security group rule might grant overly permissive access to your database. Recommended configuration for any security group rule is to allow access from specific Amazon Elastic Compute Cloud (Amazon EC2) security groups or from a specific IP address. Data for Amazon Relational Database Service (Amazon RDS) instances created in the Asia Pacific (Seoul) region (sa-east-1) is not available. We are working to fix this issue as soon as possible.')
, ROW ('Hs4Ma3G188', 'en', 'GuardDuty should be enabled', 'Checks if Amazon GuardDuty is enabled in your AWS account and region.')
, ROW ('Hs4Ma3G189', 'en', 'Enhanced monitoring should be configured for RDS DB instances', 'Checks if enhanced monitoring is enabled for your RDS DB instances.')
, ROW ('1e93e4c0b5', 'en', 'Amazon EC2 Reserved Instance Lease Expiration', 'Checks for Amazon EC2 Reserved Instances that are scheduled to expire within the next 30 days or have expired in the preceding 30 days. Reserved Instances do not renew automatically; you can continue using an EC2 instance covered by the reservation without interruption, but you will be charged On-Demand rates. New Reserved Instances can have the same parameters as the expired ones, or you can purchase Reserved Instances with different parameters.
The estimated monthly savings we show is the difference between the On-Demand and Reserved Instance rates for the same instance type.
Alert Criteria
Yellow: The Reserved Instance lease expires in less than 30 days.
Yellow: The Reserved Instance lease expired in the preceding 30 days.
Recommended Action
Consider purchasing a new Reserved Instance to replace the one that is nearing the end of its term. For more information, see How to Purchase Reserved Instances and Buying Reserved Instances.
Additional Resources
Reserved Instances
Instance Types')
, ROW ('C056F80cR3', 'en', 'Amazon Route 53 High TTL Resource Record Sets', 'Checks for resource record sets that can benefit from having a lower time-to-live (TTL) value. TTL is the number of seconds that a resource record set is cached by DNS resolvers. When you specify a long TTL, DNS resolvers take longer to request updated DNS records, which can cause unnecessary delay in rerouting traffic (for example, when DNS Failover detects and responds to a failure of one of your endpoints). Hosted zones created by AWS services won’t appear in your check results.')
, ROW ('6gtQddfEw6', 'en', 'DynamoDB Read Capacity', 'Checks for usage that is more than 80% of the DynamoDB Provisioned Throughput Limit for Reads per Account. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('Hs4Ma3G199', 'en', 'Database logging should be enabled', 'Checks if the following Amazon RDS logs are enabled and sent to CloudWatch Logs: Oracle: (Alert, Audit, Trace, Listener), PostgreSQL: (Postgresql, Upgrade), MySQL: (Audit, Error, General, SlowQuery), MariaDB: (Audit, Error, General, SlowQuery), SQL Server: (Error, Agent), Aurora: (Audit, Error, General, SlowQuery), Aurora-MySQL: (Audit, Error, General, SlowQuery), Aurora-PostgreSQL: (Postgresql).')
, ROW ('XG0aXHpIEt', 'en', 'RDS DB Instances', 'Checks for usage that is more than 80% of the RDS DB Instances Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('wuy7G1zxql', 'en', 'Amazon EC2 Availability Zone Balance', 'Checks the distribution of Amazon Elastic Compute Cloud (Amazon EC2) instances across Availability Zones in a region. Availability Zones are distinct locations that are designed to be insulated from failures in other Availability Zones and to provide inexpensive, low-latency network connectivity to other Availability Zones in the same region. By launching instances in multiple Availability Zones in the same region, you can help protect your applications from a single point of failure.')
, ROW ('Hs4Ma3G170', 'en', 'S3 Block Public Access setting should be enabled', 'Checks if the following public access block settings are configured from account level: ignorePublicAcls: True, blockPublicPolicy: True, blockPublicAcls: True, restrictPublicBuckets: True.')
, ROW ('Hs4Ma3G171', 'en', 'S3 buckets should prohibit public read access', 'Checks if your S3 buckets allow public read access by evaluating the Block Public Access settings, the bucket policy, and the bucket access check list (ACL).')
, ROW ('Hs4Ma3G172', 'en', 'S3 buckets should prohibit public write access', 'Checks if your S3 buckets allow public write access by evaluating the Block Public Access settings, the bucket policy, and the bucket access check list (ACL).')
, ROW ('c1z7dfpz01', 'en', 'Amazon ECS service using a single AZ', 'Checks that your service configuration uses a single Availability Zone (AZ).')
, ROW ('Hs4Ma3G173', 'en', 'S3 Block Public Access setting should be enabled at the bucket-level', 'Checks if Amazon S3 buckets have bucket level public access blocks applied. This check fails if any of the bucket level settings are set to "false" public: ignorePublicAcls, blockPublicPolicy, blockPublicAcls, restrictPublicBuckets.')
, ROW ('c1z7dfpz02', 'en', 'Amazon ECS Multi-AZ placement strategy', 'Checks that your Amazon ECS service uses the spread placement strategy. This strategy distributes tasks across Availability Zones (AZs) in the same AWS Region and can help protect your applications from a single point of failure.')
, ROW ('Hs4Ma3G174', 'en', 'CodeBuild GitHub or Bitbucket source repository URLs should use OAuth', 'Checks if the GitHub or Bitbucket source repository URL contains either personal access tokens or user name and password.')
, ROW ('Hs4Ma3G175', 'en', 'CodeBuild project environment variables should not contain clear text credentials', 'Checks if the project contains environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.')
, ROW ('Hs4Ma3G176', 'en', 'ACM certificates should be renewed after a specified time period', 'Checks if ACM Certificates in your account are marked for expiration within a specified time period. Certificates provided by ACM are automatically renewed. ACM does not automatically renew certificates that you import.')
, ROW ('CLOG40CDO8', 'en', 'Auto Scaling Group Health Check', 'Examines the health check configuration for Auto Scaling groups. If Elastic Load Balancing is being used for an Auto Scaling group, the recommended configuration is to enable an Elastic Load Balancing health check. If an Elastic Load Balancing health check is not used, Auto Scaling can only act upon the health of the Amazon Elastic Compute Cloud (Amazon EC2) instance and not on the application that is running on the instance.')
, ROW ('aW9HH0l8J6', 'en', 'EC2-Classic Elastic IP Addresses', 'Checks for usage that is more than 80% of the EC2-Classic Elastic IP Addresses Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('wH7DD0l3J9', 'en', 'EBS Throughput Optimized HDD (st1) Volume Storage', 'Checks for usage that is more than 80% of the EBS Throughput Optimized HDD (st1) Volume Storage Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('iK7OO0l7J9', 'en', 'ELB Classic Load Balancers', 'Checks for usage that is more than 80% of the ELB Classic Load Balancers. Application Load Balancers and Network Load Balancers have a separate limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
')
, ROW ('DAvU99Dc4C', 'en', 'Underutilized Amazon EBS Volumes', 'Checks Amazon Elastic Block Store (Amazon EBS) volume configurations and warns when volumes appear to be underused. Charges begin when a volume is created. If a volume remains unattached or has very low write activity (excluding boot volumes) for a period of time, the volume is probably not being used.')
, ROW ('pYW8UkYz2w', 'en', 'RDS Read Replicas per Master', 'Checks for usage that is more than 80% of the RDS Read Replicas per Master Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('pR7UU0l7J9', 'en', 'IAM Policies', 'Checks for usage that is more than 80% of the IAM Policies Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('eI7KK0l7J9', 'en', 'EBS Active Snapshots', 'Checks for usage that is more than 80% of the EBS Active Snapshots Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('Hs4Ma3G166', 'en', 'An RDS event notifications subscription should be configured for critical cluster events', 'Checks if an Amazon RDS Event subscription for RDS clusters is configured to notify on event categories of both "maintenance" and "failure".')
, ROW ('Hs4Ma3G167', 'en', 'S3 buckets should have server-side encryption enabled', 'Checks that your Amazon S3 bucket either has Amazon S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server side encryption.')
, ROW ('Hs4Ma3G168', 'en', 'S3 buckets should require requests to use Secure Socket Layer', 'Checks if S3 buckets have policies that require requests to use Secure Socket Layer (SSL).')
, ROW ('Hs4Ma3G169', 'en', 'S3 permissions granted to other AWS accounts in bucket policies should be restricted', 'Checks if the S3 bucket policy allows sensitive bucket-level or object-level actions from a principal in another AWS account. The check fails if any of the following actions are allowed in the S3 bucket policy for a principal in another AWS account: s3:DeleteBucketPolicy, s3:PutBucketAcl, s3:PutBucketPolicy, s3:PutObjectAcl, and s3:PutEncryptionConfiguration.')
, ROW ('fW7HH0l7J9', 'en', 'Auto Scaling Groups', 'Checks for usage that is more than 80% of the Auto Scaling Groups Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('P1jhKWEmLa', 'en', 'RDS Total Storage Quota', 'Checks for usage that is more than 80% of the RDS Total Storage Quota Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('Hs4Ma3G180', 'en', 'Amazon Elasticsearch Service domain error logging to CloudWatch Logs should be enabled', 'Checks whether Amazon Elasticsearch Service domains are configured to send error logs to CloudWatch Logs.')
, ROW ('Hs4Ma3G181', 'en', 'Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager', 'Checks if a Classic Load Balancer uses HTTPS/SSL certificates provided by AWS Certificate Manager. The check fails if a Classic Load Balancer that is configured with an HTTPS/SSL listener does not use a certificate provided by AWS Certificate Manager.')
, ROW ('Hs4Ma3G182', 'en', 'Classic Load Balancer listeners should be configured with HTTPS or TLS termination', 'Checks if your Classic Load Balancer listeners are configured with HTTPS or TLS protocol for front-end (client to load balancer) connections. The check is applicable if a Classic Load Balancer has listeners. If your Classic Load Balancer does not have a listener configured, then the check does not report any findings.')
, ROW ('1qazXsw23e', 'en', 'Amazon Relational Database Service (RDS) Reserved Instance Optimization', 'Checks your usage of RDS and provides recommendations on purchase of Reserved Instances to help reduce costs incurred from using RDS On-Demand. AWS generates these recommendations by analyzing your On-Demand usage for the past 30 days. We then simulate every combination of reservations in the generated category of usage in order to identify the best number of each type of Reserved Instance to purchase to maximize your savings. This check covers recommendations based on partial upfront payment option with 1-year or 3-year commitment. This check is not available to accounts linked in Consolidated Billing. Recommendations are only available for the Paying Account.
Alert Criteria
Yellow: Optimizing the purchase of RDS Reserved Instances can help reduce costs.
Recommended Action
See the Cost Explorer page for more detailed recommendations, customization options (e.g. look-back period, payment option, etc.) and to purchase RDS Reserved Instances.
Additional Resources
Information on RDS Reserved Instances and how they can save you money can be found here.')
, ROW ('Hs4Ma3G183', 'en', 'Application load balancer should be configured to drop http headers', 'This check evaluates AWS Application Load Balancers (ALB) to ensure they are configured to drop http headers. By default, ALBs are not configured to drop invalid http header values. This check evaluates all ALBs fails if the attribute value of routing.http.drop_invalid_header_fields.enabled is set to false.')
, ROW ('Hs4Ma3G184', 'en', 'Application and Classic Load Balancers logging should be enabled', 'Checks if the Application Load Balancer and the Classic Load Balancer have logging enabled. The check fails if the access_logs.s3.enabled is false.')
, ROW ('Hs4Ma3G185', 'en', 'IAM customer managed policies that you create should not allow wildcard actions for services', 'Checks if the IAM identity-based custom policies have Allow statements that grant permissions for all actions on a service. The check fails if any policy statement includes "Effect": "Allow" with "Action": "Service:".')
, ROW ('Hs4Ma3G186', 'en', 'AWS WAF Classic Global Web ACL logging should be enabled', 'Checks if logging is enabled for a WAF global Web ACL. This check fails if logging is not enabled for the Web ACL.')
, ROW ('Hs4Ma3G187', 'en', 'Connections to Amazon Elasticsearch Service domains should be encrypted using TLS 1.2', 'Checks whether connections to Amazon Elasticsearch Service domains are required to use TLS 1.2. The check fails if the Amazon Elasticsearch Service domain TLSSecurityPolicy is not Policy-Min-TLS-1-2-2019-07.')
, ROW ('12Fnkpl8Y5', 'en', 'Exposed Access Keys', 'Checks popular code repositories for access keys that have been exposed to the public and for irregular Amazon Elastic Compute Cloud (Amazon EC2) usage that could be the result of a compromised access key. An access key consists of an access key ID and the corresponding secret access key. Exposed access keys pose a security risk to your account and other users, could lead to excessive charges from unauthorized activity or abuse, and violate the AWS Customer Agreement. If your access key is exposed, take immediate action to secure your account. To protect your account from excessive charges, AWS temporarily limits your ability to create certain AWS resources when exposed access keys are identified. This does not make your account secure; it only partially limits the unauthorized usage for which you could be charged. Note: This check does not guarantee the identification of exposed access keys or compromised EC2 instances. You are ultimately responsible for the safety and security of your access keys and AWS resources.
If a deadline is shown for an access key, AWS may suspend your AWS account if the unauthorized usage is not stopped by that date. If you believe an alert is in error, contact AWS Support.
The information displayed in Trusted Advisor may not reflect the most recent state of your account. No exposed access keys are marked as resolved until all exposed access keys on the account have been resolved. This data synchronization can take up to one week.
Alert Criteria
Red: Potentially compromised - AWS has identified an access key ID and corresponding secret access key that have been exposed on the Internet and may have been compromised (used).
Red: Exposed - AWS has identified an access key ID and corresponding secret access key that have been exposed on the Internet.
Red: Suspected - Irregular Amazon EC2 usage indicates that an access key may have been compromised, but it has not been identified as exposed on the Internet.
Recommended Action
Delete the affected access key as soon as possible. If the key is associated with an IAM user, see Managing Access Keys for IAM Users.
Check your account for unauthorized usage. Log in to the AWS Management Console and check each service console for suspicious resources. Pay special attention to running Amazon EC2 instances, Spot Instance requests, access keys, and IAM users. You can also check overall usage on the Billing & Cost Management Dashboard.
Additional Resources
Best Practices for Managing AWS Access Keys
AWS Security Audit Guidelines')
, ROW ('8CNsSllI5v', 'en', 'Auto Scaling Group Resources', 'Checks the availability of resources associated with launch configurations and your Auto Scaling groups. Auto Scaling groups that point to unavailable resources cannot launch new Amazon Elastic Compute Cloud (Amazon EC2) instances. When properly configured, Auto Scaling causes the number of Amazon EC2 instances to increase seamlessly during demand spikes and decrease automatically during demand lulls. Auto Scaling groups and launch configurations that point to unavailable resources do not operate as intended.')
, ROW ('k3J2hns32g', 'en', 'Overutilized Amazon EBS Magnetic Volumes', 'Checks for Amazon Elastic Block Store (EBS) Magnetic volumes that are potentially overutilized and might benefit from a more efficient configuration. A Magnetic volume is designed for applications with moderate or bursty I/O requirements, and the IOPS rate is not guaranteed. It delivers approximately 100 IOPS on average, with a best-effort ability to burst to hundreds of IOPS. For consistently higher IOPS, you can use a Provisioned IOPS (SSD) volume. For bursty IOPS, you can use a General Purpose (SSD) volume. For more information, see Amazon EBS Volume Types.')
, ROW ('hjLMh88uM8', 'en', 'Idle Load Balancers', 'Checks your Elastic Load Balancing configuration for load balancers that are not actively used. Any load balancer that is configured accrues charges. If a load balancer has no associated back-end instances or if network traffic is severely limited, the load balancer is not being used effectively.')
, ROW ('Hs4Ma3G177', 'en', 'Auto scaling groups associated with a load balancer should use load balancer health checks', 'Checks if your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.')
, ROW ('Hs4Ma3G178', 'en', 'Security groups should only allow unrestricted incoming traffic for authorized ports', 'Checks if the security groups allow unrestricted incoming traffic. The check fails if ports allow unrestricted traffic on ports other than 80 and 443, which are default values for parameter authorizedTcpPorts.')
, ROW ('BueAdJ7NrP', 'en', 'Amazon S3 Bucket Logging', 'Checks the logging configuration of Amazon Simple Storage Service (Amazon S3) buckets. When server access logging is enabled, detailed access logs are delivered hourly to a bucket that you choose. An access log record contains details about each request, such as the request type, the resources specified in the request, and the time and date the request was processed. By default, bucket logging is not enabled; you should enable logging if you want to perform security audits or learn more about users and usage patterns.')
, ROW ('Hs4Ma3G179', 'en', 'SNS topics should be encrypted at-rest using AWS KMS', 'Checks if an Amazon SNS topic is encrypted at rest using AWS KMS.')
, ROW ('xdeXZKIUy', 'en', 'ELB Cross-Zone Load Balancing', 'With Cross-zone load balancing turned off, there is a risk of service unavailability due to uneven distribution of traffic or backend overloading. This problem can occur when clients incorrectly cache DNS information, or when there are an unequal number of instances in each Availability Zone (for example, if you have taken down some instances for maintenance).
Alert Criteria
Yellow: Cross-zone load balancing is not enabled for a load balancer.
Recommended Action
Confirm that the Amazon EC2 instances registered with the load balancer are launched in multiple Availability Zones, and then enable cross-zone load balancing for the load balancer. For more information, see Availability Zones and Regions and Enable or Disable Cross-Zone Load Balancing for Your Load Balancer.
Additional Resources
Request Routing
Elastic Load Balancing Concepts')
, ROW ('gW7HH0l7J9', 'en', 'CloudFormation Stacks', 'Checks for usage that is more than 80% of the CloudFormation Stacks Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('gI7MM0l7J2', 'en', 'EBS Provisioned IOPS SSD (io2) Volume Storage', 'Checks for usage that is more than 80% of the EBS Provisioned IOPS SSD (io2) Volume Storage Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('Hs4Ma3G270', 'en', 'EC2 Auto Scaling groups should use EC2 launch templates', 'Checks if an Amazon EC2 Auto Scaling group is created from an EC2 launch template. This check fails if an Amazon EC2 Auto Scaling group is not created with a launch template or if a launch template is not specified in a mixed instances policy.')
, ROW ('Hs4Ma3G271', 'en', 'API Gateway routes should specify an authorization type', 'Checks if Amazon API Gateway routes have an authorization type. The check fails if the API Gateway route does not specify an authorization type')
, ROW ('Hs4Ma3G150', 'en', 'Elasticsearch domains should encrypt data sent between nodes', 'Checks if Elasticsearch domains have node-to-node encryption enabled.')
, ROW ('Hs4Ma3G272', 'en', 'Users should not have root access to SageMaker notebook instances', 'Checks if root access is turned off for Amazon SageMaker notebook instances. The check fails if root access is turned on for a SageMaker notebook instance.')
, ROW ('Hs4Ma3G151', 'en', 'An RDS event notifications subscription should be configured for critical database parameter group events', 'Checks if an Amazon RDS Event subscription for RDS parameter groups is configured to notify on event category of "configuration change".')
, ROW ('Hs4Ma3G273', 'en', 'Security contact information should be provided for an AWS account.', 'Checks if an Amazon Web Services (AWS) account has security contact information. The check fails if security contact information is not provided for the account.')
, ROW ('Hs4Ma3G152', 'en', 'An RDS event notifications subscription should be configured for critical database instance events', 'Checks if an Amazon RDS Event subscription for RDS instances is configured to notify on event categories of both "maintenance", "configuration change", and "failure".')
, ROW ('EM8b3yLRTr', 'en', 'ELB Application Load Balancers', 'Checks for usage that is more than 80% of the ELB Application Load Balancers Limit. Classic Load Balancers and Network Load Balancers have separate limits. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
')
, ROW ('rT7WW0l7J9', 'en', 'IAM Server Certificates', 'Checks for usage that is more than 80% of the IAM Server Certificates Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('Hs4Ma3G274', 'en', 'SageMaker notebook instances should be launched in a custom VPC', 'Checks if an Amazon SageMaker notebook instance is launched within a custom VPC. The check fails if a SageMaker notebook instance is not launched within a custom VPC.')
, ROW ('Hs4Ma3G153', 'en', 'RDS instances should not use a database engine default port', 'Checks if RDS instances use the default port of that database engine.')
, ROW ('Hs4Ma3G275', 'en', 'CloudFront distributions should not point to non-existent S3 origins', 'Checks if Amazon CloudFront distributions are pointing to non-existent S3 origins. The check fails for a CloudFront distribution if the origin is configured to point to a non-existent bucket. This check only applies to CloudFront distributions where an S3 bucket without static website hosting is the S3 origin.')
, ROW ('Hs4Ma3G154', 'en', 'An RDS event notifications subscription should be configured for critical database security group events', 'Checks if an Amazon RDS Event subscription for RDS security groups is configured to notify on event categories of both "configuration change" and "failure".')
, ROW ('N415c450f2', 'en', 'CloudFront Header Forwarding and Cache Hit Ratio', 'Checks the HTTP request headers that CloudFront currently receives from the client and forwards to your origin server. Some headers, such as Date or User-Agent, significantly reduce the cache hit ratio (the proportion of requests that are served from a CloudFront edge cache). This increases the load on your origin and reduces performance because CloudFront must forward more requests to your origin.')
, ROW ('Hs4Ma3G265', 'en', 'A WAF Regional rule group should have at least one rule', 'Checks if a WAF Regional rule group has at least one rule. The check fails if no rules are present within a rule group.')
, ROW ('Hs4Ma3G144', 'en', 'Unused IAM user credentials should be removed', 'Checks if your IAM users have passwords or active access keys that were not used within the previous 90 days.')
, ROW ('iqdCTZKCUp', 'en', 'Load Balancer Optimization', 'Checks your load balancer configuration. To help increase the level of fault tolerance in Amazon Elastic Compute Cloud (EC2) when using Elastic Load Balancing, we recommend running an equal number of instances across multiple Availability Zones in a region. A load balancer that is configured accrues charges, so this is a cost-optimization check as well.
Alert Criteria
Yellow: A load balancer is enabled for a single Availability Zone.
Yellow: A load balancer is enabled for an Availability Zone that has no active instances.
Yellow: The Amazon EC2 instances that are registered with a load balancer are unevenly distributed across Availability Zones. (The difference between the highest and lowest instance counts in utilized Availability Zones is more than 1, and the difference is more than 20% of the highest count.)
Recommended Action
Ensure that your load balancer points to active and healthy instances in at least two Availability Zones. For more information, see Add Availability Zone.
If your load balancer is configured for an Availability Zone with no healthy instances, or if there is an imbalance of instances across the Availability Zones, determine if all the Availability Zones are necessary. Omit any unnecessary Availability Zones and ensure there is a balanced distribution of instances across the remaining Availability Zones. For more information, see Remove Availability Zone.
Additional Resources
Availability Zones and Regions
Managing Load Balancers
Best Practices in Evaluating Elastic Load Balancing')
, ROW ('gI7MM0l7J9', 'en', 'EBS Provisioned IOPS SSD (io1) Volume Storage', 'Checks for usage that is more than 80% of the EBS Provisioned IOPS SSD (io1) Volume Storage Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('Hs4Ma3G266', 'en', 'A WAF Regional web ACL should have at least one rule or rule group', 'Checks if a WAF Regional web ACL contains any WAF rules or WAF rule groups. This check fails if a web ACL does not contain any WAF rules or rule groups.')
, ROW ('Hs4Ma3G145', 'en', 'Amazon ECS task definitions should have secure networking modes and user definitions.', 'Checks if an Amazon ECS Task Definition with host networking mode has "privileged" or "user" container definitions. The check fails with host network mode and container definitions are privileged=false or empty and user=root or empty.')
, ROW ('Ti39halfu8', 'en', 'Amazon RDS Idle DB Instances', 'Checks the configuration of your Amazon Relational Database Service (Amazon RDS) for any DB instances that appear to be idle. If a DB instance has not had a connection for a prolonged period of time, you can delete the instance to reduce costs. If persistent storage is needed for data on the instance, you can use lower-cost options such as taking and retaining a DB snapshot. Manually created DB snapshots are retained until you delete them.')
, ROW ('Hs4Ma3G267', 'en', 'A WAF global rule should have at least one condition', 'Checks if a WAF global rule has at least one condition. This check fails if no conditions are present within a rule.')
, ROW ('Hs4Ma3G146', 'en', 'ECS services should not have public IP addresses assigned to them automatically', 'Checks if ECS services are configured to automatically assign public IP addresses. This check fails if AssignPublicIP is ENABLED.')
, ROW ('j3DFqYTe29', 'en', 'Large Number of EC2 Security Group Rules Applied to an Instance', 'Checks for Amazon Elastic Compute Cloud (EC2) instances that have a large number of security group rules. Performance can be degraded if an instance has a large number of rules.')
, ROW ('Hs4Ma3G268', 'en', 'A WAF global rule group should have at least one rule', 'Checks if a WAF global rule group has at least one rule. The check fails if no rules are present within a rule group.')
, ROW ('Hs4Ma3G147', 'en', 'Amazon Elasticsearch Service domains should be in a VPC', 'Checks whether Amazon Elasticsearch Service domains are in a VPC. It does not evaluate the VPC subnet routing configuration to determine public reachability. This check also does not check whether the Amazon OpenSearch Service resource-based policy permits public access by other accounts or external entities. You should ensure that Amazon Elasticsearch Service domains are not attached to public subnets. See Resource-based policies (https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html#ac-types-resource) in the Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) Developer Guide. You should also ensure that your VPC is configured according to the recommended best practices. See Security best practices for your VPC (https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-best-practices.html) in the Amazon VPC User Guide.')
, ROW ('Hs4Ma3G269', 'en', 'A WAF global web ACL should have at least one rule or rule group', 'Checks if a WAF global web ACL contains any WAF rules or WAF rule groups. This check fails if a web ACL does not contain any WAF rules or WAF rule groups.')
, ROW ('Hs4Ma3G148', 'en', 'Elastic Beanstalk environments should have enhanced health reporting enabled', 'Checks if enhanced health reporting is enabled for your AWS Elastic Beanstalk environments.')
, ROW ('1qw23er45t', 'en', 'Amazon Redshift Reserved Node Optimization', 'Checks your usage of Redshift and provides recommendations on purchase of Reserved Nodes to help reduce costs incurred from using Redshift On-Demand. AWS generates these recommendations by analyzing your On-Demand usage for the past 30 days. We then simulate every combination of reservations in the generated category of usage in order to identify the best number of each type of Reserved Nodes to purchase to maximize your savings. This check covers recommendations based on partial upfront payment option with 1-year or 3-year commitment. This check is not available to accounts linked in Consolidated Billing. Recommendations are only available for the Paying Account.
Alert Criteria
Yellow: Optimizing the purchase of Redshift Reserved Nodes can help reduce costs.
Recommended Action
See the Cost Explorer page for more detailed recommendations, customization options (e.g. look-back period, payment option, etc.) and to purchase Redshift Reserved Nodes.
Additional Resources
Information on Redshift Reserved Nodes and how they can save you money can be found here.')
, ROW ('Hs4Ma3G149', 'en', 'Elastic Beanstalk managed platform updates should be enabled', 'Checks if managed platform updates are enabled for the AWS Elastic Beanstalk environment.')
, ROW ('Cb877eB72b', 'en', 'Amazon Route 53 Deleted Health Checks', 'Checks for resource record sets that are associated with health checks that have been deleted. Amazon Route 53 does not prevent you from deleting a health check that is associated with one or more resource record sets. If you delete a health check without updating the associated resource record sets, the routing of DNS queries for your DNS failover configuration will not work as intended. Hosted zones created by AWS services won’t appear in your check results.
Alert Criteria
Yellow: A resource record set is associated with a health check that has been deleted.
Recommended Action
Create a new health check and associate it with the resource record set; see Creating, Updating, and Deleting Health Checks and Adding Health Checks to Resource Record Sets.
Additional Information
Amazon Route 53 Health Checks and DNS Failover
How Health Checks Work in Simple Amazon Route 53 Configurations')
, ROW ('Hs4Ma3G280', 'en', 'Application, Network and Gateway Load Balancers should span multiple Availability Zones', 'Checks if an Elastic Load Balancer V2 (Application, Network, or Gateway Load Balancer) has registered instances from multiple Availability Zones. The check fails if an Elastic Load Balancer V2 has instances registered in less than 2 Availability Zones.')
, ROW ('796d6f3D83', 'en', 'CloudFront Content Delivery Optimization', 'Checks for cases where data transfer from Amazon Simple Storage Service (Amazon S3) buckets could be accelerated by using Amazon CloudFront, the AWS global content delivery service. When you configure CloudFront to deliver your content, requests for your content are automatically routed to the nearest edge location where content is cached, so it can be delivered to your users with the best possible performance. A high ratio of data transferred out to the data stored in the bucket indicates that you could benefit from using Amazon CloudFront to deliver the data. ')
, ROW ('Hs4Ma3G160', 'en', 'IAM authentication should be configured for RDS instances', 'Checks if an RDS DB instance has IAM database authentication enabled.')
, ROW ('Hs4Ma3G161', 'en', 'IAM authentication should be configured for RDS clusters', 'Checks if an RDS DB cluster has IAM database authentication enabled.')
, ROW ('Hs4Ma3G162', 'en', 'RDS automatic minor version upgrades should be enabled', 'Checks if automatic minor version upgrades are enabled for the Amazon RDS database instance.')
, ROW ('Hs4Ma3G163', 'en', 'RDS DB clusters should be configured to copy tags to snapshots', 'Checks if RDS DB clusters are configured to copy all tags to snapshots when the snapshots are created.')
, ROW ('Hs4Ma3G164', 'en', 'RDS DB instances should be configured to copy tags to snapshots', 'Checks if RDS DB instances are configured to copy all tags to snapshots when the snapshots are created.')
, ROW ('Hs4Ma3G165', 'en', 'RDS instances should be deployed in a VPC', 'Checks if an RDS instance is deployed in a VPC (EC2-VPC).')
, ROW ('keAhfbH5yb', 'en', 'RDS Event Subscriptions', 'Checks for usage that is more than 80% of the RDS Event Subscriptions Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('c5ftjdfkMr', 'en', 'DynamoDB Write Capacity', 'Checks for usage that is more than 80% of the DynamoDB Provisioned Throughput Limit for Writes per Account. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('Hs4Ma3G276', 'en', 'A WAFV2 web ACL should have at least one rule or rule group', 'Checks if a WAFV2 web ACL contains at least one WAF rule or WAF rule group. The check fails if a web ACL does not contain any WAF rule or rule group.')
, ROW ('Hs4Ma3G155', 'en', 'EC2 instances should be managed by AWS Systems Manager', 'Checks if the Amazon EC2 instances in your account are managed by AWS Systems Manager.')
, ROW ('Cm24dfsM13', 'en', 'Amazon Comprehend Endpoint Access Risk', 'Checks the AWS Key Management Service (AWS KMS) key permissions for an endpoint where the underlying model was encrypted by using customer managed keys. If the customer managed key is disabled or the key policy was changed to alter the allowed permissions for Amazon Comprehend, the endpoint availability might be affected.
Note:
This check is automatically refreshed multiple times a day. It might take a few hours for the latest results to appear.
Alert Criteria
Red: The customer managed key is disabled or the key policy was changed to alter the allowed permissions for Amazon Comprehend access.
Recommended Action
If the customer managed key was disabled, we recommend that you enable it. For more information, see Enabling keys. If the key policy was altered and you want to keep using the endpoint, we recommend that you update the KMS key policy. For more information, see Changing a key policy.')
, ROW ('Hs4Ma3G277', 'en', 'EC2 launch templates should not assign public IPs to network interfaces', 'Checks if Amazon EC2 launch templates are configured to assign public IP addresses to network interfaces upon launch. The check fails if an EC2 launch template is configured to assign a public IP address to network interfaces or if there is at least one network interface that has a public IP address.')
, ROW ('Hs4Ma3G156', 'en', 'EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation', 'Checks if the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance. It only assesses instances that are managed by AWS Systems Manager Patch Manager.')
, ROW ('ZRxQlPsb6c', 'en', 'High Utilization Amazon EC2 Instances', 'Checks the Amazon Elastic Compute Cloud (Amazon EC2) instances that were running at any time during the last 14 days and alerts you if the daily CPU utilization was more than 90% on 4 or more days. Consistent high utilization can indicate optimized, steady performance, but it can also indicate that an application does not have enough resources. To get daily CPU utilization data, download the report for this check.')
, ROW ('Hs4Ma3G278', 'en', 'Access logging should be configured for API Gateway V2 Stages', 'Checks if Amazon API Gateway V2 stages have access logging configured. This check fails if access log settings aren’t defined.')
, ROW ('Hs4Ma3G157', 'en', 'EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT', 'Checks if the status of the AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association is executed on an instance.')
, ROW ('bW7HH0l7J9', 'en', 'Kinesis Shards per Region', 'Checks for usage that is more than 80% of the Kinesis Shards per Region Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('Hs4Ma3G279', 'en', 'Amazon EC2 Auto Scaling group should cover multiple Availability Zones', 'Checks if an Auto Scaling group spans multiple Availability Zones. The check fails if an Auto Scaling group does not span multiple availability zones.')
, ROW ('Hs4Ma3G158', 'en', 'SSM documents should not be public', 'Checks if AWS Systems Manager documents that the account owns are public. This check fails if SSM documents that have "Self" as the owner are public.')
, ROW ('Cm24dfsM12', 'en', 'Amazon Comprehend Underutilized Endpoints', 'Checks the throughput configuration of your endpoints. This check alerts you when endpoints are not actively used for real-time inference requests. An endpoint that isn’t used for more than 15 consecutive days is considered underutilized. All endpoints accrue charges based on both the throughput set and the length of time that the endpoint is active.
Note:
This check is automatically refreshed once a day.
Alert Criteria
Yellow: The endpoint is active, but hasn’t been used for real-time inference requests in the past 15 days.
Recommended Action
If the endpoint hasn’t been used in the past 15 days, we recommend that you define a scaling policy for the resource by using Application Autoscaling.
If the endpoint has a scaling policy defined and hasn’t been used in the past 30 days, consider deleting the endpoint and using asynchronous inference. For more information, see Deleting an endpoint with Amazon Comprehend.')
, ROW ('Hs4Ma3G159', 'en', 'Elastic File System should be configured to encrypt file data at-rest using AWS KMS', 'Checks if Amazon Elastic File System (Amazon EFS) is configured to encrypt the file data using AWS Key Management Service (AWS KMS). The check will fail if the encrypted key is set to false on DescribeFileSystems or if the KmsKeyId key on DescribeFileSystems does not match the KmsKeyId parameter.')
, ROW ('nO7SS0l7J9', 'en', 'IAM Instance Profiles', 'Checks for usage that is more than 80% of the IAM Instance Profiles Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('dx3xfcdfMr', 'en', 'Route 53 Hosted Zones', 'Checks for usage that is more than 80% of the Route 53 Hosted Zones Limit per account. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('PPkZrjsH2q', 'en', 'Amazon EBS Provisioned IOPS (SSD) Volume Attachment Configuration', 'Checks for Provisioned IOPS (SSD) volumes that are attached to an Amazon EBS-optimizable Amazon Elastic Compute Cloud (Amazon EC2) instance that is not EBS-optimized. Provisioned IOPS (SSD) volumes in the Amazon Elastic Block Store (Amazon EBS) are designed to deliver the expected performance only when they are attached to an EBS-optimized instance.')
, ROW ('Hs4Ma3G250', 'en', 'ECS clusters should use Container Insights', 'Checks if ECS clusters use Container Insights. This check fails if Container Insights are not set up for a cluster.')
, ROW ('Hs4Ma3G251', 'en', 'EFS access points should enforce a root directory', 'Checks if Amazon Elastic File System (Amazon EFS) access points are configured to enforce a root directory. This check fails if the value of Path is set to / (default root directory of the file system).')
, ROW ('Hs4Ma3G130', 'en', 'Lambda functions should use supported runtimes', 'Checks that the lambda function settings for runtimes, match the expected values set for the supported runtimes for each language. The supported runtimes this check assesses for are: nodejs14.x, nodejs12.x, python3.8, python3.7, python3.6, java11, java8, go1.x, dotnetcore2.1, dotnetcore3.1, ruby2.7.')
, ROW ('Hs4Ma3G252', 'en', 'EFS access points should enforce a user identity', 'Checks if Amazon Elastic File System (Amazon EFS) access points are configured to enforce a user identity. This check fails if ‘PosixUser’ is not defined under ‘configuration’ or if parameters are provided and there is no match in the corresponding parameter.')
, ROW ('Hs4Ma3G131', 'en', 'Lambda function policies should prohibit public access', 'Checks if the AWS Lambda function policy attached to the Lambda resource prohibits public access. If the Lambda function policy allows public access, the check fails.')
, ROW ('Hs4Ma3G253', 'en', 'EKS clusters should run on a supported Kubernetes version', 'Checks if an EKS cluster is running on a supported Kubernetes version. The check fails if the EKS cluster is running on an unsupported version.')
, ROW ('Hs4Ma3G132', 'en', 'Database Migration Service replication instances should not be public', 'Checks if AWS Database Migration Service replication instances are public by examining the PubliclyAccessible field value.')
, ROW ('lN7RR0l7J9', 'en', 'EC2-VPC Elastic IP Address', 'Checks for usage that is more than 80% of the EC2-VPC Elastic IP Address Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('Z4AUBRNSmz', 'en', 'Unassociated Elastic IP Addresses', 'Checks for Elastic IP addresses (EIPs) that are not associated with a running Amazon Elastic Compute Cloud (Amazon EC2) instance. EIPs are static IP addresses designed for dynamic cloud computing. Unlike traditional static IP addresses, EIPs can mask the failure of an instance or Availability Zone by remapping a public IP address to another instance in your account. A nominal charge is imposed for an EIP that is not associated with a running instance.')
, ROW ('dBkuNCvqn5', 'en', 'RDS Max Auths per Security Group', 'Checks for usage that is more than 80% of the RDS Max Auths per Security Group Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('H7IgTzjTYb', 'en', 'Amazon EBS Snapshots', 'Checks the age of the snapshots for your Amazon Elastic Block Store (Amazon EBS) volumes (available or in-use). Even though Amazon EBS volumes are replicated, failures can occur. Snapshots are persisted to Amazon Simple Storage Service (Amazon S3) for durable storage and point-in-time recovery.')
, ROW ('Hs4Ma3G243', 'en', 'Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)', 'Checks if only IMDSv2 is enabled. This check fails if the metadata version is not included in the launch configuration or if both IMDSv1 and IMDSv2 are enabled.')
, ROW ('Hs4Ma3G122', 'en', 'VPC flow logging should be enabled in all VPCs', 'Checks if Amazon Virtual Private Cloud flow logs are found and enabled for Amazon VPCs. The traffic type is set to Reject.')
, ROW ('7ujm6yhn5t', 'en', 'Amazon OpenSearch Service Reserved Instance Optimization', 'Checks your usage of Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) and provides recommendations on purchase of Reserved Instances to help reduce costs incurred from using Amazon OpenSearch Service On-Demand. AWS generates these recommendations by analyzing your On-Demand usage for the past 30 days. We then simulate every combination of reservations in the generated category of usage in order to identify the best number of each type of Reserved Instance to purchase to maximize your savings. This check covers recommendations based on partial upfront payment option with 1-year or 3-year commitment. This check is not available to accounts linked in Consolidated Billing. Recommendations are only available for the Paying Account.')
, ROW ('Hs4Ma3G244', 'en', 'Auto Scaling group launch configuration should not have a metadata response hop limit greater than 1', 'Checks the number of network hops that the metadata token can travel. This check fails if the metadata response hop limit is greater than 1.')
, ROW ('Hs4Ma3G123', 'en', 'EC2 instances should not have a public IPv4 address', 'Checks if EC2 instances have a public IP address. The check fails if the publicIp field is present in the EC2 instance configuration item. This check applies to IPv4 addresses only.')
, ROW ('gjqMBn6pjz', 'en', 'RDS Clusters', 'Checks for usage that is more than 80% of the RDS Clusters Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('Hs4Ma3G245', 'en', 'CloudFormation stacks should be integrated with Simple Notification Service (SNS)', 'Checks if your CloudFormation stacks are sending event notifications to SNS topic. This check fails if CloudFormation stacks are not sending event notifications to an SNS topic.')
, ROW ('Hs4Ma3G124', 'en', 'EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)', 'Checks if your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The check passes if HttpTokens is set to required for IMDSv2. The check fails if HttpTokens is set to optional.')
, ROW ('Hs4Ma3G246', 'en', 'CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins', 'Checks if CloudFront distributions are using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and your custom origins. This check fails for a CloudFront distribution if it has a CustomOriginConfig where ‘OriginSslProtocols’ includes ‘SSLv3’.')
, ROW ('Hs4Ma3G125', 'en', 'API Gateway should be associated with a WAF Web ACL', 'Checks to see if an API Gateway stage is using an AWS WAF Web ACL. This check fails if an AWS WAF Web ACL is not attached to a REST API Gateway stage.')
, ROW ('Qch7DwouX1', 'en', 'Low Utilization Amazon EC2 Instances', 'Checks the Amazon Elastic Compute Cloud (Amazon EC2) instances that were running at any time during the last 14 days and alerts you if the daily CPU utilization was 10% or less and network I/O was 5 MB or less on 4 or more days. Running instances generate hourly usage charges. Although some scenarios can result in low utilization by design, you can often lower your costs by managing the number and size of your instances.')
, ROW ('Hs4Ma3G247', 'en', 'EC2 Transit Gateways should not automatically accept VPC attachment requests', 'Checks if EC2 Transit Gateways are automatically accepting shared VPC attachments requests. This check will fail for a Transit Gateway that automatically accept shared VPC attachment requests.')
, ROW ('Hs4Ma3G126', 'en', 'DynamoDB Accelerator (DAX) clusters should be encrypted at rest', 'Checks if a DAX cluster is encrypted at rest.')
, ROW ('Hs4Ma3G248', 'en', 'EC2 paravirtual instance types should not be used', 'Checks if the virtualization type of an EC2 instance is paravirtual. The check fails for an EC2 instance if ‘virtualizationType’ is set to ‘paravirtual’.')
, ROW ('Hs4Ma3G127', 'en', 'API Gateway REST and WebSocket API execution logging should be enabled', 'Checks if all stages of Amazon API Gateway REST and WebSocket APIs have logging enabled. The check fails if logging is not enabled for all methods of a stage or if loggingLevel is neither ERROR nor INFO.')
, ROW ('Hs4Ma3G249', 'en', 'ECS Fargate services should run on the latest Fargate platform version', 'Checks if ECS Fargate services is running the latest Fargate platform version. This check fails if the platform version is not latest.')
, ROW ('Hs4Ma3G128', 'en', 'API Gateway REST API stages should be configured to use SSL certificates for backend authentication', 'Checks if Amazon API Gateway REST API stages have SSL certificates configured that backend systems can use to authenticate that incoming requests are from the API Gateway.')
, ROW ('Hs4Ma3G129', 'en', 'API Gateway REST API stages should have AWS X-Ray tracing enabled', 'Checks if AWS X-Ray active tracing is enabled for your Amazon API Gateway REST API stages.')
, ROW ('G31sQ1E9U', 'en', 'Underutilized Amazon Redshift Clusters', 'Checks your Amazon Redshift configuration for clusters that appear to be underutilized. If an Amazon Redshift cluster has not had a connection for a prolonged period of time or is using a low amount of CPU, you can use lower-cost options such as downsizing the cluster or shutting down the cluster and taking a final snapshot. Final snapshots are retained even after you delete your cluster.
Alert Criteria
Yellow: A running cluster has not had a connection in the last 7 days.
Yellow: A running cluster had less than 5% cluster-wide average CPU utilization for 99% of the last 7 days.
Recommended Action
Consider shutting down the cluster and taking a final snapshot, or downsizing the cluster. See Shutting Down and Deleting Clusters and Resizing a Cluster.
Additional Resources
Amazon CloudWatch Developer Guide')
, ROW ('h3L1otH3re', 'en', 'Amazon ElastiCache Reserved Node Optimization', 'Checks your usage of ElastiCache and provides recommendations on purchase of Reserved Nodes to help reduce costs incurred from using ElastiCache On-Demand. AWS generates these recommendations by analyzing your On-Demand usage for the past 30 days. We then simulate every combination of reservations in the generated category of usage in order to identify the best number of each type of Reserved Node to purchase to maximize your savings. This check covers recommendations based on partial upfront payment option with 1-year or 3-year commitment. This check is not available to accounts linked in Consolidated Billing. Recommendations are only available for the Paying Account.')
, ROW ('Hs4Ma3G260', 'en', 'OpenSearch domains should have fine-grained access control enabled', 'Checks if Amazon OpenSearch domains have fine-grained access check enabled. This check fails if the fine-grained access check is not enabled.')
, ROW ('Hs4Ma3G261', 'en', 'Redshift clusters should not use the default database name', 'Checks if a Redshift cluster has changed the database name from its default value. This check will fail if the database name for a Redshift cluster is set to “dev”')
, ROW ('Hs4Ma3G140', 'en', 'IAM root user access key should not exist', 'Checks if the root user access key is available.')
, ROW ('Hs4Ma3G262', 'en', 'S3 buckets should have lifecycle policies configured', 'Checks if a lifecycle policy is configured for an S3 bucket. This check fails if the lifecycle policy is not configured for an S3 bucket.')
, ROW ('Hs4Ma3G141', 'en', 'MFA should be enabled for all IAM users that have a console password', 'Checks if AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password.')
, ROW ('Hs4Ma3G263', 'en', 'Logging of delivery status should be enabled for notification messages sent to a topic', 'Checks if logging is enabled for the delivery status of notification messages sent to a topic for the endpoints. This check fails if the delivery status notification for messages is not enabled.')
, ROW ('Hs4Ma3G142', 'en', 'Hardware MFA should be enabled for the root user', 'Checks if your AWS account is enabled to use hardware multi-factor authentication (MFA) device to sign in with root credentials.')
, ROW ('Hs4Ma3G264', 'en', 'A WAF Regional rule should have at least one condition', 'Checks if a WAF Regional rule has at least one condition. The check fails if no conditions are present within a rule.')
, ROW ('Hs4Ma3G143', 'en', 'Password policies for IAM users should have strong configurations', 'Checks if the account password policy for IAM users uses the following recommended configurations: RequireUppercaseCharacters: true, RequireLowercaseCharacters: true, RequireSymbols: true, RequireNumbers: true, MinimumPasswordLength: 8.')
, ROW ('N430c450f2', 'en', 'CloudFront SSL Certificate on the Origin Server', 'Checks your origin server for SSL certificates that are expired, about to expire, missing, or that use outdated encryption. If a certificate is expired, CloudFront responds to requests for your content with HTTP status code 502, Bad Gateway. Certificates that were encrypted by using the SHA-1 hashing algorithm are being deprecated by web browsers such as Chrome and Firefox. Depending on the number of SSL certificates that you have associated with your CloudFront distributions, this check might add a few cents per month to your bill with your web hosting provider, for example, AWS if youre using EC2 or ELB as the origin for your CloudFront distribution. This check does not validate your origin certificate chain or certificate authorities; you can check these in your CloudFront configuration. ')
, ROW ('3Njm0DJQO9', 'en', 'RDS Option Groups', 'Checks for usage that is more than 80% of the RDS Option Groups Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('tV7YY0l7J9', 'en', 'EBS Provisioned IOPS (SSD) Volume Aggregate IOPS', 'Checks for usage that is more than 80% of the EBS Provisioned IOPS (SSD) Volume Aggregate IOPS Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('vZ2c2W1srf', 'en', 'Savings Plan', 'Checks your usage of EC2, Fargate, and Lambda over the last 30 days and provides Savings Plan purchase recommendations, which allows you to commit to a consistent usage amount measured in $/hour for a one or three year term in exchange for discounted rates. These are sourced from AWS Cost Explorer which can be used to get more detailed recommendation information, or to purchase a savings plan. These recommendations should be considered an alternative to your RI recommendations and choosing to act fully on both sets of recommendations would likely lead to over commitment. This check is not available to accounts linked in Consolidated Billing. Recommendations are only available for the Paying Account.
Alert Criteria
Yellow: Optimizing the purchase of Savings Plans can help reduce costs.
Recommended Action
See the Cost Explorer page for more detailed and customized recommendations and to purchase Savings Plans.
Additional Resources
Savings Plan User Guide
Savings Plan FAQ')
, ROW ('Hs4Ma3G254', 'en', 'Application Load Balancer should be configured with defensive or strictest desync mitigation mode', 'Checks if the Application Load Balancer is configured with defensive or strictest de-sync mitigation mode. This check fails if the Application Load Balancer is not configured with defensive or strictest desync mitigation mode.')
, ROW ('Hs4Ma3G133', 'en', 'IAM customer managed policies should not allow decryption actions on all KMS keys', 'Checks if the default version of IAM customer managed policies allow principals to use the AWS Key Management Service (KMS) decryption actions on all resources. This check fails if kms:Decrypt or kms:ReEncryptFrom actions are allowed on all KMS keys. The check evaluates both attached and unattached customer managed policies. It does not check inline policies or AWS managed policies.')
, ROW ('ty3xfcdfMr', 'en', 'Route 53 Reusable Delegation Sets', 'Checks for usage that is more than 80% of the Route 53 Reusable Delegation Sets Limit per account. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('Hs4Ma3G255', 'en', 'Classic Load Balancer should be configured with defensive or strictest desync mitigation mode', 'Checks if the Classic Load Balancer is configured defensive or strictest desync mitigation mode. This check will fail if the Application Load Balancer is not configured with defensive strictest mitigation Desync mitigation mode.')
, ROW ('Hs4Ma3G134', 'en', 'IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys', 'Checks if the inline policies embedded in your IAM principals (Role/User/Group) allow the AWS Key Management Service (KMS) decryption actions on all KMS keys. This check fails if kms:Decrypt or kms:ReEncryptFrom actions are allowed on all KMS keys in an inline policy.')
, ROW ('Hs4Ma3G256', 'en', 'Kinesis streams should be encrypted at rest', 'Checks if Kinesis streams are encrypted at rest with server-side encryption. This check fails if a Kinesis stream is not encrypted at rest with server-side encryption.')
, ROW ('Hs4Ma3G135', 'en', 'AWS KMS keys should not be deleted unintentionally', 'Checks whether AWS Key Management Service (KMS) keys are scheduled for deletion. The check fails if a KMS key is scheduled for deletion.')
, ROW ('gfZAn3W7wl', 'en', 'RDS DB Security Groups', 'Checks for usage that is more than 80% of the RDS DB Security Groups Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('Hs4Ma3G257', 'en', 'Network Firewall policies should have at least one rule group associated', 'Checks if a Network Firewall policy has any stateful or stateless rule groups associated. This check fails if stateless or stateful rule groups are not assigned.')
, ROW ('Hs4Ma3G136', 'en', 'Amazon SQS queues should be encrypted at rest', 'Checks if Amazon SQS queues are encrypted at rest.')
, ROW ('Hs4Ma3G258', 'en', 'The default stateless action for Network Firewall policies should be drop or forward for full packets', 'Checks if the default stateless action for full packets for a Network Firewall policy is drop or forward. The check passes if Drop or Forward is selected, and fails if Pass is selected.')
, ROW ('Hs4Ma3G137', 'en', 'IAM policies should not allow full "*" administrative privileges', 'Checks if the default version of AWS Identity and Access Management (IAM) policies (also known as customer managed policies) do not have administrator access with a statement that has "Effect": "Allow" with "Action": "*" over "Resource": "*". It only assesses for the Customer Managed Policies that you created, but not inline and AWS Managed Policies.')
, ROW ('Hs4Ma3G259', 'en', 'The default stateless action for Network Firewall policies should be drop or forward for fragmented packets', 'Checks if a Network Firewall policy has drop or forward as the default stateless action for fragmented packets. The check passes if Drop or Forward is selected, and fails if Pass is selected.')
, ROW ('Hs4Ma3G138', 'en', 'IAM users should not have IAM policies attached', 'Checks that none of your IAM users have policies attached. Instead, IAM users must inherit permissions from IAM groups or roles.')
, ROW ('7qGXsKIUw', 'en', 'ELB Connection Draining', 'Checks for load balancers that do not have connection draining enabled. When connection draining is not enabled and you remove (deregister) an Amazon EC2 instance from a load balancer, the load balancer stops routing traffic to that instance and closes the connection. When connection draining is enabled, the load balancer stops sending new requests to the deregistered instance but keeps the connection open to serve active requests.
Alert Criteria
Yellow: Connection draining is not enabled for a load balancer.
Recommended Action
Enable connection draining for the load balancer. For more information, see Connection Draining and Enable or Disable Connection Draining for Your Load Balancer.
Additional Resources
Elastic Load Balancing Concepts')
, ROW ('Hs4Ma3G139', 'en', 'IAM users access keys should be rotated every 90 days or less', 'Checks if the active access keys are rotated within 90 days.')
, ROW ('Hs4Ma3G230', 'en', 'S3 bucket server access logging should be enabled', 'Checks if an Amazon S3 Bucket has server access logging enabled to a chosen target bucket.')
, ROW ('Hs4Ma3G231', 'en', 'Stateless network firewall rule group should not be empty', 'Checks if a Stateless Network Firewall Rule Group contains rules. The rule will fail if there are no rules in a Stateless Network Firewall Rule Group.')
, ROW ('Hs4Ma3G110', 'en', 'CloudTrail should have encryption at-rest enabled', 'Checks whether AWS CloudTrail is configured to use the server-side encryption (SSE) AWS Key Management Service (AWS KMS) key encryption. The check will pass if the KmsKeyId is defined.')
, ROW ('UUDvOa5r34', 'en', 'RDS Reserved Instances', 'Checks for usage that is more than 80% of the RDS Reserved Instances Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('Qsdfp3A4L1', 'en', 'Amazon EC2 instances over-provisioned for Microsoft SQL Server', 'Checks your Amazon Elastic Compute Cloud (Amazon EC2) instances that are running SQL Server in the past 24 hours. An SQL Server database has a compute capacity limit for each instance. An instance with SQL Server Standard edition can use up to 48 vCPUs. An instance with SQL Server Web can use up to 32 vCPUs. This check alerts you if an instance exceeds this vCPU limit.If your instance is over-provisioned, you pay full price without realizing an improvement in performance. You can manage the number and size of your instances to help lower costs. Estimated monthly savings are calculated by using the same instance family with the maximum number of vCPUs that an SQL Server instance can use and the On-Demand pricing. Actual savings will vary if you’re using Reserved Instances (RI) or if the instance isn’t running for a full day.
Alert Criteria
Red: An instance with SQL Server Standard edition has more than 48 vCPUs.
Red: An instance with SQL Server Web edition has more than 32 vCPUs.
Recommended Action
For SQL Server Standard edition, consider changing to an instance in the same instance family with 48 vCPUs. For SQL Server Web edition, consider changing to an instance in the same instance family with 32 vCPUs. If it is memory intensive, consider changing to memory optimized R5 instances. For more information, see Best Practices for Deploying Microsoft SQL Server on Amazon EC2.
Additional Resources
Microsoft SQL Server on AWS
You can use Launch Wizard to simplify your SQL Server deployment on EC2.
')
, ROW ('oQ7TT0l7J9', 'en', 'IAM Roles', 'Checks for usage that is more than 80% of the IAM Roles Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('Hs4Ma3G229', 'en', 'CloudFront distributions should encrypt traffic to custom origins', 'Checks if CloudFront distributions are encrypting traffic to custom origins. This check fails for a CloudFront distribution whose origin protocol policy allows http-only or if it is match-viewer and the viewer protocol policy is allow-all. ')
, ROW ('Hs4Ma3G108', 'en', 'CloudTrail trails should be integrated with Amazon CloudWatch Logs', 'Checks if AWS CloudTrail trails are configured to send logs to Amazon CloudWatch Logs.')
, ROW ('Hs4Ma3G109', 'en', 'CloudTrail log file validation should be enabled', 'Checks if CloudTrail log file validation is enabled.')
, ROW ('jL7PP0l7J9', 'en', 'VPC', 'Checks for usage that is more than 80% of the VPC Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('Hs4Ma3G221', 'en', 'OpenSearch domains should have audit logging enabled', 'Checks if Amazon OpenSearch Service domains have audit logging enabled.')
, ROW ('Hs4Ma3G100', 'en', 'Amazon SageMaker notebook instances should not have direct internet access', 'Checks if direct internet access is disabled for an Amazon SageMaker notebook instance by examining the DirectInternetAccess field is disabled for an Amazon SageMaker notebook instance.')
, ROW ('Hs4Ma3G222', 'en', 'OpenSearch domain error logging to CloudWatch Logs should be enabled', 'Checks if Amazon OpenSearch domains are configured to send error logs to CloudWatch Logs. This check fails if error logging to CloudWatch is not enabled for a domain.')
, ROW ('Hs4Ma3G101', 'en', 'Amazon Elastic MapReduce cluster master nodes should not have public IP addresses', 'Checks if master nodes on EMR clusters have public IP addresses.')
, ROW ('Hs4Ma3G223', 'en', 'OpenSearch domains should encrypt data sent between nodes', 'Checks if Amazon OpenSearch domains have node-to-node encryption enabled. This check fails if node-to-node encryption is disabled on the domain.')
, ROW ('Hs4Ma3G102', 'en', 'Connections to Amazon Redshift clusters should be encrypted in transit', 'Checks if connections to Amazon Redshift clusters are required to use encryption in transit. The check fails if the Amazon Redshift cluster parameter require_SSL is not set to 1.')
, ROW ('cX3c2R1chu', 'en', 'Amazon EC2 Reserved Instances Optimization', 'A significant part of using AWS involves balancing your Reserved Instance (RI) usage and your On-Demand instance usage. We provide recommendations on which RIs will help reduce costs incurred from using On-Demand instances.
AWS generates these recommendations by analyzing your On-Demand usage for the past 30 days, and then categorizing the usage into eligible categories for reservations. We then simulate every combination of reservations in the generated category of usage in order to identify the best number of each type of RI to purchase to maximize your savings. This check covers recommendations based on Standard Reserved Instances with partial upfront payment option. This check is not available to accounts linked in Consolidated Billing. Recommendations are only available for the Paying Account.
Alert Criteria
Yellow: Optimizing the use of partial upfront RIs can help reduce costs.
Recommended Action
See the Cost Explorer page for more detailed and customized recommendations. Additionally, refer to the buying guide to understand how to purchase RIs and the options available.
Additional Resources
Information on RIs and how they can save you money can be found here.
For more information on this recommendation, see Reserved Instance Optimization Check Questions in the Trusted Advisor FAQs.')
, ROW ('Hs4Ma3G224', 'en', 'OpenSearch domains should be in a VPC', 'Checks Amazon OpenSearch Service domains are in an Amazon Virtual Private Cloud (VPC).')
, ROW ('Hs4Ma3G103', 'en', 'Amazon Redshift clusters should prohibit public access', 'Checks if Amazon Redshift clusters are publicly accessible. It evaluates the publiclyAccessible field in the cluster configuration item.')
, ROW ('Hs4Ma3G225', 'en', 'OpenSearch domains should have encryption at rest enabled', 'Checks if Amazon OpenSearch domains have encryption-at-rest configuration enabled. The check fails if encryption at rest is not enabled.')
, ROW ('Hs4Ma3G104', 'en', 'Redshift clusters should use enhanced VPC routing', 'Checks if a Redshift cluster has EnhancedVpcRouting enabled.')
, ROW ('Hs4Ma3G226', 'en', 'Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses', 'Checks if Amazon EC2 Auto Scaling groups have public IP addresses enabled using launch configurations.')
, ROW ('Hs4Ma3G105', 'en', 'Amazon Redshift should have automatic upgrades to major versions enabled', 'Checks if an Amazon Redshift cluster is configured with automatic upgrades to major versions.')
, ROW ('Hs4Ma3G227', 'en', 'CloudFront distributions should use custom SSL/TLS certificates', 'Checks if CloudFront distributions are using the default SSL/TLS certificate CloudFront provides instead of a custom one. This check fails for a CloudFront distribution if it uses the default SSL/TLS certificate.')
, ROW ('Hs4Ma3G106', 'en', 'Amazon Redshift clusters should have audit logging enabled', 'Checks if an Amazon Redshift cluster has audit logging enabled.')
, ROW ('Hs4Ma3G228', 'en', 'CloudFront distributions should use SNI to serve HTTPS requests', 'Checks if Amazon CloudFront distributions are using a custom SSL/TLS certificate and are configured to use SNI to serve HTTPS requests as opposed to dedicated IP address.')
, ROW ('Hs4Ma3G107', 'en', 'CloudFront distributions should require encryption in transit', 'Checks if an Amazon CloudFront distribution requires viewers to use HTTPS directly, or if it uses redirection. The check fails if ViewerProtocolPolicy is set to allow-all for defaultCacheBehavior or for cacheBehaviors.')
, ROW ('S45wrEXrLz', 'en', 'VPN Tunnel Redundancy', 'Checks the number of tunnels that are active for each of your VPNs. A VPN should have two tunnels configured at all times to provide redundancy in case of outage or planned maintenance of the devices at the AWS endpoint. For some hardware, only one tunnel is active at a time (see the Amazon Virtual Private Cloud Network Administrator Guide). If a VPN has no active tunnels, charges for the VPN might still apply.')
, ROW ('Hs4Ma3G241', 'en', 'Secrets should not be passed as container environment variable', 'Checks if the container environment variables includes the following keys - AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, or ECS_ENGINE_AUTH_DATA.')
, ROW ('Hs4Ma3G120', 'en', 'Stopped EC2 instances should be removed after a specified time period', 'Checks if any EC2 instances have been stopped for more than the allowed number of days. An EC2 instance fails this check if it is stopped for longer than the maximum allowed time period, which by default is 30 days.')
, ROW ('Hs4Ma3G242', 'en', 'Amazon ECR private repositories should have image scanning enabled', 'Checks if a private ECR repository has image scanning enabled. This check fails if a private ECR repository has image scanning disabled. Amazon ECR image scanning helps in identifying software vulnerabilities in your container images. Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project and provides a list of scan findings. Enabling image scanning on ECR repositories adds a layer of verification for the integrity and safety of the images being stored.')
, ROW ('Hs4Ma3G121', 'en', 'EBS default encryption should be enabled', 'Checks if Amazon Elastic Block Store (EBS) encryption is enabled by default. The check fails if EBS default encryption is not enabled.')
, ROW ('Hs4Ma3G119', 'en', 'EBS volumes should be attached to EC2 instances', 'Checks if EBS volumes are attached to EC2 instances.')
, ROW ('4g3Nt5M1Th', 'en', 'AWS Direct Connect Virtual Interface Redundancy', 'Checks for virtual private gateways with Direct Connect virtual interfaces (VIFs) that are not configured on at least two Direct Connect connections. Connectivity to your virtual private gateway should have multiple virtual interfaces configured across multiple Direct Connect connections and locations to provide redundancy in case a device or location is unavailable.
Note:
Results for this check are automatically refreshed several times daily, and refresh requests are not allowed. It might take a few hours for changes to appear.
Alert Criteria
Yellow: A virtual private gateway has less than two virtual interfaces, or the interfaces are not configured to multiple Direct Connect connections.
Recommended Action
Configure at least two virtual interfaces that are configured to two Direct Connect connections to protect against device or location unavailability. See Create a Virtual Interface.
Additional Resources
Getting Started with AWS Direct Connect
AWS Direct Connect FAQs
Working With AWS Direct Connect Virtual Interfaces')
, ROW ('Hs4Ma3G232', 'en', 'RDS Database Clusters should use a custom administrator username', 'Checks if an RDS database cluster has changed the admin username from its default value. This rule will fail if the admin username is set to the default value.')
, ROW ('Hs4Ma3G111', 'en', 'CloudTrail should be enabled and configured with at least one multi-region trail', 'Checks that there is at least one multi-region AWS CloudTrail trail.')
, ROW ('Hs4Ma3G233', 'en', 'RDS database instances should use a custom administrator username', 'Checks if an Amazon Relational Database Service (Amazon RDS) database instance has changed the admin username from its default value. This rule will only run on RDS database instances. The rule will fail if the admin username is set to the default value.')
, ROW ('Hs4Ma3G112', 'en', 'Secrets Manager secrets should be rotated within a specified number of days', 'Checks if your secrets have rotated at least once within 90 days.')
, ROW ('Hs4Ma3G234', 'en', 'AWS CodeBuild S3 Logs should be encrypted', 'Checks if a AWS CodeBuild project configured with Amazon S3 Logs has encryption enabled for its logs.')
, ROW ('Hs4Ma3G113', 'en', 'Secrets Manager secrets configured with automatic rotation should rotate successfully', 'Checks if an AWS Secrets Manager secret rotated successfully based on the rotation schedule. The check fails if RotationOccurringAsScheduled is false. The check does not evaluate secrets that do not have rotation configured.')
, ROW ('Hs4Ma3G235', 'en', 'Amazon ECR private repositories should have tag immutability enabled', 'Checks if a private ECR repository has tag immutability enabled. This check fails if a private ECR repository has tag immutability disabled.')
, ROW ('Hs4Ma3G114', 'en', 'Remove unused Secrets Manager secrets', 'Checks if your secrets have been accessed within a specified number of days. The default value is 90 days. Secrets that have not been accessed even once within the number days you define, fail this check.')
, ROW ('Hs4Ma3G236', 'en', 'Amazon ECS Task Definitions should not share the hosts process namespace', 'Checks if Amazon ECS Task Definitions are configured to share a hosts process namespace with its containers.')
, ROW ('Hs4Ma3G115', 'en', 'Secrets Manager secrets should have automatic rotation enabled', 'Checks if a secret stored in AWS Secrets Manager is configured to rotate automatically.')
, ROW ('jEECYg2YVU', 'en', 'RDS DB Parameter Groups', 'Checks for usage that is more than 80% of the RDS DB Parameter Groups Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('Hs4Ma3G237', 'en', 'Amazon ECS Containers should run as non-privileged', 'Checks if the Privileged parameter in the container definition of Amazon ECS Task Definitions is set to true.')
, ROW ('Hs4Ma3G116', 'en', 'EBS snapshots should not be public, determined by the ability to be restorable by anyone', 'Checks if Amazon Elastic Block Store snapshots are not publicly restorable.')
, ROW ('Hs4Ma3G238', 'en', 'Amazon ECS Containers should only have read-only access to its root filesystems', 'Checks if ECS Containers are limited to read-only access to its mounted root filesystems.')
, ROW ('Hs4Ma3G117', 'en', 'Attached EBS volumes should be encrypted at-rest', 'Checks if the EBS volumes that are in an attached state are encrypted.')
, ROW ('dYWBaXaaMM', 'en', 'RDS Subnet Groups', 'Checks for usage that is more than 80% of the RDS Subnet Groups Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('Hs4Ma3G118', 'en', 'The VPC default security group should not allow inbound and outbound traffic', 'Checks that the default security group of a VPC does not allow inbound or outbound traffic.')
, ROW ('MDBdfsQ401', 'en', 'Amazon MemoryDB Multi-AZ clusters', 'Checks for MemoryDB clusters that deploy in a single Availability Zone (AZ). This check alerts you if Multi-AZ is inactive in a cluster.
Deployments in multiple AZs enhance MemoryDB cluster availability by asynchronously replicating to read-only replicas in a different AZ. When planned cluster maintenance occurs, or a primary node is unavailable, MemoryDB automatically promotes a replica to primary. This failover allows cluster write operations to resume, and doesnt require an administrator to intervene.
Alert Criteria
Green: Multi-AZ is active in the cluster.')
, ROW ('0Xc6LMYG8P', 'en', 'EC2 On-Demand Instances', 'Checks for usage that is more than 80% of the EC2 On-Demand Instances Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('Bh2xRR2FGH', 'en', 'Amazon EC2 to EBS Throughput Optimization', 'Checks for Amazon EBS volumes whose performance might be affected by the maximum throughput capability of the Amazon EC2 instance they are attached to. To optimize performance, you should ensure that the maximum throughput of an EC2 instance is greater than the aggregate maximum throughput of the attached EBS volumes. This check computes the total EBS volume throughput for each five-minute period in the preceding day (UTC) for each EBS-optimized instance and alerts you if usage in more than half of those periods was greater than 95% of the maximum throughput of the EC2 instance.
Alert Criteria
Yellow: In the preceding day (UTC), the aggregate throughput (megabytes/sec) of the EBS volumes attached to the EC2 instance exceeded 95% of the published throughput between the instance and the EBS volumes more than 50% of time.
Recommended Action
Compare the maximum throughput of your EBS volumes (see Amazon EBS Volume Types) with the maximum throughput of the EC2 instance they are attached to (see Instance Types That Support EBS Optimization). Consider attaching your volumes to an instance that supports higher throughput to EBS for optimal performance.
Additional Resources
Amazon EBS Volume Types
Amazon EBS-Optimized Instances
Monitoring the Status of Your Volumes
Attaching an Amazon EBS Volume to an Instance
Detaching an Amazon EBS Volume from an Instance
Deleting an Amazon EBS Volume ')
, ROW ('ECHdfsQ402', 'en', 'Amazon ElastiCache Multi-AZ clusters', 'Checks for ElastiCache clusters that deploy in a single Availability Zone (AZ). This check alerts you if Multi-AZ is inactive in a cluster.
Deployments in multiple AZs enhance ElastiCache cluster availability by asynchronously replicating to read-only replicas in a different AZ. When planned cluster maintenance occurs, or a primary node is unavailable, ElastiCache automatically promotes a replica to primary. This failover allows cluster write operations to resume, and doesnt require an administrator to intervene.
Alert Criteria
Green: Multi-AZ is active in the cluster.')
, ROW ('Hs4Ma3G207', 'en', 'EC2 subnets should not automatically assign public IP addresses', 'Checks if the assignment of public IPs in Amazon Virtual Private Cloud (VPC) subnets have the MapPublicIpOnLaunch set to FALSE. The check will pass if the flag is set to FALSE.')
, ROW ('Hs4Ma3G208', 'en', 'EC2 instances should not use multiple ENIs', 'Checks to see if Amazon EC2 instance uses multiple ENI/EFA. This check will pass if single network adapters is used.')
, ROW ('Hs4Ma3G209', 'en', 'Unused Network Access Control Lists should be removed', 'Checks to see if there are any NACLs (Network Access Control List) that are unused. The check will check the item configuration of the resource AWS::EC2::NetworkAcl and determine the relationships of the NACL.')
, ROW ('iH7PP0l7J9', 'en', 'EC2 Reserved Instance Leases', 'Checks for usage that is more than 80% of the EC2 Reserved Instance Leases Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('Hs4Ma3G200', 'en', 'CloudFront distributions should have a default root object configured', 'Checks if an Amazon CloudFront distribution is configured to return a specific object that is the default root object. The check fails if the CloudFront distribution does not have a default root object configured.')
, ROW ('Hs4Ma3G201', 'en', 'CloudFront distributions should have WAF enabled', 'Checks to see if Amazon CloudFront distributions are associated with either WAF or WAFv2 web ACLs. The check fails if a CloudFront distribution is not associated with a web ACL.')
, ROW ('Hs4Ma3G202', 'en', 'API Gateway REST API cache data should be encrypted at rest', 'Checks if all methods in Amazon API Gateway REST API stages that have cache enabled are encrypted. The check fails if any method in API Gateway REST API stage is configured to cache and the cache is not encrypted.')
, ROW ('Hs4Ma3G203', 'en', 'Amazon Elasticsearch Service domains should have audit logging enabled', 'This check checks whether Amazon Elasticsearch Service domains have audit logging enabled. This check fails if an Amazon Elasticsearch Service domain does not have audit logging enabled.')
, ROW ('Hs4Ma3G204', 'en', 'Security groups should not allow unrestricted access to ports with high risk', 'Checks if unrestricted incoming traffic for the security groups is accessible to the specified ports [3389, 20, 23, 110, 143, 3306, 8080, 1433, 9200, 9300, 25, 445, 135, 21, 1434, 4333, 5432, 5500, 5601, 22 ] that have the highest risk. This check passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 for the listed ports.')
, ROW ('Hs4Ma3G205', 'en', 'Classic Load Balancers with HTTPS/SSL listeners should use a predefined security policy that has strong configuration', 'Checks if your Classic Load Balancer SSL listeners use the predefined policy ELBSecurityPolicy-TLS-1-2-2017-01. The check fails if the Classic Load Balancer SSL listeners do not use the predefined policy ELBSecurityPolicy-TLS-1-2-2017-01.')
, ROW ('51fC20e7I2', 'en', 'Amazon Route 53 Latency Resource Record Sets', 'Checks for Amazon Route 53 latency record sets that are configured inefficiently. To allow Amazon Route 53 to route queries to the region with the lowest network latency, you should create latency resource record sets for a particular domain name (such as example.com) in different regions. If you create only one latency resource record set for a domain name, all queries are routed to one region, and you pay extra for latency-based routing without getting the benefits. Hosted zones created by AWS services won’t appear in your check results.')
, ROW ('Hs4Ma3G206', 'en', 'Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service', 'Checks if a service endpoint for Amazon EC2 is created for each VPC. The check fails if a VPC does not have a VPC endpoint created for the Amazon EC2 service.')
, ROW ('hJ7NN0l7J9', 'en', 'SES Daily Sending Quota', 'Checks for usage that is more than 80% of the SES Daily Sending Quota Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('dH7RR0l6J3', 'en', 'EBS General Purpose SSD (gp3) Volume Storage', 'Checks for usage that is more than 80% of the EBS General Purpose SSD (gp3) Volume Storage Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('dH7RR0l6J9', 'en', 'EBS General Purpose SSD (gp2) Volume Storage', 'Checks for usage that is more than 80% of the EBS General Purpose SSD (gp2) Volume Storage Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('zXCkfM1nI3', 'en', 'IAM Use', 'This check is intended to discourage the use of root access by checking for existence of at least one IAM user. You may ignore the alert if you are following the best practice of centralizing identities and configuring users in an external identity provider or AWS Single Sign-On. ')
, ROW ('8M012Ph3U5', 'en', 'AWS Direct Connect Location Redundancy', 'Checks for regions with one or more AWS Direct Connect connections and only one AWS Direct Connect location. Connectivity to your AWS resources should have Direct Connect connections configured to different Direct Connect locations to provide redundancy in case a location is unavailable.
Note:
Results for this check are automatically refreshed several times daily, and refresh requests are not allowed. It might take a few hours for changes to appear.
Alert Criteria
Yellow: The Direct Connect connections in the region are not configured to different locations.
Recommended Action
Configure a Direct Connect connection that uses a different Direct Connect location to protect against location unavailability. For more information, see Getting Started with AWS Direct Connect.
Additional Resources
Getting Started with AWS Direct Connect
AWS Direct Connect FAQs')
, ROW ('Hs4Ma3G220', 'en', 'Connections to OpenSearch domains should be encrypted using TLS 1.2', 'Checks if connections to OpenSearch domains are required to use TLS 1.2. The check fails if the OpenSearch domain TLSSecurityPolicy is not Policy-Min-TLS-1-2-2019-07.')
, ROW ('Hs4Ma3G218', 'en', 'CodeBuild project environments should not have privileged mode enabled', 'Checks if an AWS CodeBuild project environment has privileged mode enabled.')
, ROW ('Yw2K9puPzl', 'en', 'IAM Password Policy', 'Checks the password policy for your account and warns when a password policy is not enabled, or if password content requirements have not been enabled. Password content requirements increase the overall security of your AWS environment by enforcing the creation of strong user passwords. When you create or change a password policy, the change is enforced immediately for new users but does not require existing users to change their passwords. ')
, ROW ('Hs4Ma3G219', 'en', 'Amazon Redshift clusters should not use the default Admin username', 'Checks if a Redshift cluster has changed the Admin username from its default value. This check will fail if the admin username for a Redshift cluster is set to awsuser.')
, ROW ('dx8afcdfMr', 'en', 'Route 53 Traffic Policy Instances', 'Checks for usage that is more than 80% of the Route 53 Traffic Policy Instances Limit per account. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('c9D319e7sG', 'en', 'Amazon Route 53 MX Resource Record Sets and Sender Policy Framework', 'For each MX resource record set, checks that the TXT or SPF resource record set contains a valid SPF record. The record must start with "v=spf1". The SPF record specifies the servers that are authorized to send email for your domain, which helps detect and stop email address spoofing to reduce spam. Route 53 recommends that you use a TXT record instead of an SPF record. Trusted Advisor reports this check as green as long as each MX resource record set has at least one SPF or TXT record.
Alert Criteria
Yellow: An MX resource record set doesn’t have a TXT or SPF resource record that contains a valid SPF value.
Recommended Action
For each MX resource record set, create a TXT resource record set that contains a valid SPF value. For more information, see Sender Policy Framework: SPF Record Syntax and Creating Resource Record Sets By Using the Amazon Route 53 Console.
Additional Information
Sender Policy Framework (Wikipedia)
MX record (Wikipedia)')
, ROW ('Qsdfp3A4L4', 'en', 'Amazon EC2 instances with Microsoft Windows Server end of support', 'This check alerts you if the versions are near or have reached the end of support. Each Windows Server version offers 10 years of support, including 5 years of mainstream support and 5 years of extended support. After the end of support, the Windows Server version won’t receive regular security updates. Running applications with unsupported Windows Server versions can bring security or compliance risks.
Alert Criteria
Red: An EC2 instance has a Windows Server version that has reached end of support (Windows Server 2003, 2008, and 2008R2)
Yellow: An EC2 instance has a Windows Server version that will reach end of support in less than 18 months (Windows Server 2012 & 2012 R2)
Recommended Action
Consider the following guidelines for end of support Windows Server EC2 instances:
To modernize your Windows Server workloads, consider the various pathways available on the Modernize Windows Workloads with AWS website.
To upgrade your Windows Server workloads onto modern versions of Windows Server, consider using an automation runbook to simplify your upgrade. For more information, see the AWS Systems Manager documentation.
If you can’t upgrade your Windows Server workloads due to application incompatibilities, consider the End-of-Support Migration Program (EMP) for Windows Server. For more information on the program and tooling, see the EMP website. You can also purchase Extended Security Updates (ESU) from Microsoft for a maximum of 3 years after a product’s end of support date. Learn more.')
, ROW ('Qsdfp3A4L3', 'en', 'Amazon EC2 instances with Microsoft SQL Server end of support', 'Checks the SQL Server versions for Amazon Elastic Compute Cloud (Amazon EC2) instances running in the past 24 hours. This check alerts you if the versions are near or have reached the end of support. Each SQL Server version offers 10 years of support, including 5 years of mainstream support and 5 years of extended support. After the end of support, the SQL Server version won’t receive regular security updates. Running applications with unsupported SQL Server versions can bring security or compliance risks.
Alert Criteria
Red: An EC2 instance has an SQL Server version that reached the end of support.
Yellow: An EC2 instance has an SQL Server version that will reach the end of support in 12 months.
Recommended Action
To modernize your SQL Server workloads, consider refactoring to AWS Cloud native databases like Amazon Aurora. For more information, see Modernize Windows Workloads with AWS.
To move to a fully managed database, consider replatforming to Amazon Relational Database Service (Amazon RDS). For more information, see RDS for SQL Server.
To upgrade your SQL Server on EC2, consider using the automation runbook to simplify your upgrade. For more information, see the AWS Systems Manager documentation.
If you can’t upgrade your SQL Server on EC2, consider the End-of-Support Migration Program (EMP) for Windows Server. For more information, see the EMP Website
Additional Resources
Get ready for SQL Server end of support with AWS
Microsoft SQL Server on AWS
')
, ROW ('Qsdfp3A4L2', 'en', 'Amazon EC2 instances consolidation for Microsoft SQL Server', 'Checks your Amazon Elastic Compute Cloud (Amazon EC2) instances that are running SQL Server in the past 24 hours. This check alerts you if your instance has less than the minimum number of SQL Server licenses. From the Microsoft SQL Server Licensing Guide, you are paying 4 vCPU licenses even if an instance has only 1 or 2 vCPUs. You can consolidate smaller SQL Server instances to help lower costs.
Alert Criteria
Yellow: An instance with SQL Server has less than 4 vCPUs.
Recommended Action
Consider consolidating smaller SQL Server workloads into instances with at least 4 vCPUs.
Additional Resources
Microsoft SQL Server on AWS
Microsoft Licensing on AWS
Microsoft SQL Server Licensing Guide
')
, ROW ('Hs4Ma3G210', 'en', 'CloudFront distributions should have logging enabled', 'Checks to see if server access logging is enabled on Amazon CloudFront Distributions. The check will fail if access logging is not enabled for the distribution.')
, ROW ('Hs4Ma3G211', 'en', 'S3 buckets with versioning enabled should have lifecycle policies configured', 'Checks if Amazon Simple Storage Service (Amazon S3) version enabled buckets have lifecycle policy configured. This rule fails if Amazon S3 lifecycle policy is not enabled.')
, ROW ('Hs4Ma3G212', 'en', 'S3 buckets should have event notifications enabled', 'Checks if S3 Event Notifications are enabled on an S3 bucket. This check fails if S3 Event Notifications are not enabled on a bucket.')
, ROW ('Hs4Ma3G213', 'en', 'S3 access control lists (ACLs) should not be used to manage user access to buckets', 'Checks if S3 buckets allow user permissions via access check lists (ACLs). This check fails if ACLs are configured for user access on S3 Bucket.')
, ROW ('Hs4Ma3G214', 'en', 'Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389', 'Checks if a network access check list (NACL) allows unrestricted access to the default ports for SSH/RDP ingress traffic. The rule fails if a NACL inbound entry allows a source CIDR block of 0.0.0.0/0 or ::/0 for ports 22 or 3389')
, ROW ('Hs4Ma3G215', 'en', 'Unused EC2 security groups should be removed', 'Checks that security groups are attached to Amazon EC2 instances or to an elastic network interface. The check will fail the security group is not associated with an Amazon EC2 instance or an elastic network interface.')
, ROW ('Hs4Ma3G216', 'en', 'ECR repositories should have at least one lifecycle policy configured', 'Checks if an ECR repository has at least one lifecycle policy configured. This check fails if an ECR repository does not have any lifecycle policies configured.')
, ROW ('qS7VV0l7J9', 'en', 'IAM Users', 'Checks for usage that is more than 80% of the IAM Users Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.')
, ROW ('Hs4Ma3G217', 'en', 'CodeBuild project environments should have a logging configuration', 'Checks if a CodeBuild project environment has at least one log option enabled.')
) ignored_tabe_name (check_id, language, name, description)